Security researcher Zachary Minneker discovered a flaw in the U.S. Department of Veterans Affairs' VistA (Veterans Information Systems and Technology Architecture) records platform in how it encrypts internal credentials. Minneker determined that without an additional layer of network encryption, like TLS, hackers easily can defeat VistA's 1990s-era encryption system.
The flaw could potentially allow hackers to impersonate health care providers, modify patient records, input diagnoses, or prescribe medications, Minneker says.
"If you were adjacent on the network without TLS, you could crack passwords, replace packets, make modifications to the database," he says. "In the worst-case scenario, you'd essentially be able to masquerade as a doctor. This is just not a good access control mechanism for an electronic medical record system in the modern era."
Minneker has been unable to share his findings with the VA, possibly because the agency is working to replace VistA with a Cerner system.
View Full Article – May Require Paid Registration
Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA