The work of a graduate student at Georgia Tech has led to the creation of a patch to repair a VistA EHR security vulnerability in one of the most widely used EHR systems, according to an announcement by the Open Source Electronic Health Record Agent (OSEHRA).
The non-profit organization responsible for hosting the software repositories for the Veterans Health Information Systems and Technology Architecture (VistA) EHR as well as supporting a community dedicated to innovated on this and other open source EHR systems is heralding the experience as a “textbook example” of how an open source approach to collaboration can improve the security of EHR systems.
“We’re very proud of both the process and the outcome here,” said Dr. Seong Ki Mun, CEO of OSEHRA, in a public statement. “A single interested individual found a vulnerability that impacted the entire community. Every VistA user can use the resulting patch to improve security for their patients. The level of cooperation among agencies, companies, and individuals was unprecedented, and demonstrates the real power of the open source community.”
So how did the whole thing come about? In a term project on computer security, Tech graduate Doug Mackey evaluated the Veterans Health Information Systems and Technology Architecture (VistA) EHR with the intention of demonstrating the widely used electronic system could be susceptible to organized attacks and other threats.
“After obtaining an open source version of the VistA software, Mackey began a systematic examination of the code base and found what appeared to be a significant security hole in an obscure communications broker program,” the statement from OSEHRA reveals. “It appeared that, with some creative formatting, a message could be sent that enabled the sender to subsequently execute a wide variety of remote commands without authentication.”
According to OSEHRA, the identification of the VistA EHR vulnerability then led to a “landmark” moment for the Department of Veterans Affairs (VA) and the open source community:
A team of OSEHRA staff and corporate members, including the VistA Expertise Network (VEN), DSS, Inc., Medsphere, iCare, and California’s Oroville Hospital operated under non-disclosure as they developed a patch. VEN led the code development effort. A parallel effort was already underway at VA, and they soon added a representative to the OSEHRA team as well. The Indian Health Service, whose Resource and Patient Management System (RPMS) also appeared vulnerable, added their own representative to the team.
The collaboration has created patches for the VistA EHR, one from the VA that addresses the immediate threat and another from OSEHRA that includes additional features as a result of community collaboration. While the VA has expedited its own patch, it has chosen to evaluate the OSEHRA open source version as it moves forward with the process.