Healthcare // Security & Privacy
08:00 AM
Connect Directly

Hacking Electronic Health Records

How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage.

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

Read the rest of this article on Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/5/2013 | 1:49:58 PM
Re: More security needed
Yeah, 3rd party, middleware security solutions are the answer. Sure they are.


Go watch the old movie The Net and then come back and post some more on this. And, no, don't post about how Sandra Bullock is hottest programmer ever, if her character was real.
User Rank: Apprentice
12/5/2013 | 9:55:43 AM
Re: hack
Good question, David. In the case of DrFirst, they've brought in some big guns from the medical and technology fields, but your question is very valid.
David F. Carr
David F. Carr,
User Rank: Author
12/5/2013 | 9:41:13 AM
Re: hack
This one was a government IT system and one that's been around for a while. I wonder if commercial products would be more or less vulnerable.
User Rank: Apprentice
12/5/2013 | 9:07:20 AM
More security needed
With the proliferation of electronic health records, we will unfortunately be seeing more of these stories. Security will become increasingly important in the recording, storing and transferring of information. The private sector is becoming more attentive to this area. with companies like DrFirst providing robust solutions for securing not only health care information, but also for the communication among healh care providers.
User Rank: Author
12/5/2013 | 8:57:52 AM
This one was caught, but it does make you wonder about all the vulnerabilities that were not spotted before a hacker makes use of them.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.