The department's records platform, VistA, first instituted in the late 1970s, is lauded as effective, reliable, and even innovative, but decades of underinvestment have eroded the platform. Multiple times throughout the 2010s, the VA has said it will replace VistA with a commercial product, and the latest iteration of this effort is currently ongoing. In the meantime, however, security researchers are finding real security issues in VistA that could affect patient care.
At the DefCon security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in health care IT, presented findings about a worrying weakness in how VistA encrypts internal credentials. Without an additional layer of network encryption , Minneker found that the home-brewed encryption developed for VistA in the 1990s to protect the connection between the network server and individual computers can be easily defeated.
“If you were adjacent on the network without TLS, you could crack passwords, replace packets, make modifications to the database. In the worst-case scenario, you'd essentially be able to masquerade as a doctor,” Minneker tells WIRED. “This is just not a good access control mechanism for an electronic medical record system in the modern era.”
Minneker, who is a security engineer at the software-focused firm Security Innovation, only briefly discussed the findings during his DefCon talk, which was mostly focused on a broader security assessment of VistA and the database programming language MUMPS that underlies it. He has been attempting to share the finding with the VA since January through the department's
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Source: Medscape - 🏆 386. / 55 Read more »
Source: Medscape - 🏆 386. / 55 Read more »
Source: sdut - 🏆 5. / 95 Read more »
Source: Medscape - 🏆 386. / 55 Read more »
Source: Medscape - 🏆 386. / 55 Read more »