acm-header
Sign In

Communications of the ACM

ACM TechNews

Flaw in VA's Medical Records Platform May Put Patients at Risk


crack in U.S. Department of Veterans Affairs logo

Security researcher Zachary Minneker discovered a flaw in the U.S. Department of Veterans Affairs' VistA (Veterans Information Systems and Technology Architecture) records platform in how it encrypts internal credentials. Minneker determined that without an additional layer of network encryption, like TLS, hackers easily can defeat VistA's 1990s-era encryption system.

The flaw could potentially allow hackers to impersonate health care providers, modify patient records, input diagnoses, or prescribe medications, Minneker says.

"If you were adjacent on the network without TLS, you could crack passwords, replace packets, make modifications to the database," he says. "In the worst-case scenario, you'd essentially be able to masquerade as a doctor. This is just not a good access control mechanism for an electronic medical record system in the modern era."

Minneker has been unable to share his findings with the VA, possibly because the agency is working to replace VistA with a Cerner system.

From Wired
View Full Article – May Require Paid Registration

 

Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account