- The U.S. Department of Veterans Affairs (VA) and the open source IT community have paired up to prove the benefits of fixing technical security flaws within an open source system. According to the Open Source Electronic Health Record Agent (OSEHRA) corporation, Georgia Tech graduate student Doug Mackey evaluated the Veterans Health Information Systems and Technology Architecture (VistA) EHR for a term project on computer security and found a substantial security vulnerability.
Mackey broke down VistA’s code base as part of his project and found a large gap in an obscure communications broker program. According to OSEHRA, with some creative formatting, a message could be sent that allowed an unauthorized user to execute a number of remote commands. OSEHRA, a non-profit corporation that focuses on open source EHR collaboration, led the collaborative effort to fix the issue.
A team of OSEHRA staff and corporate members, including the VistA Expertise Network (VEN), DSS, Inc., Medsphere, iCare, and California’s Oroville Hospital operated under non-disclosure as they developed a patch. VEN led the code development effort. The VA simultaneously made its own efforts to create a patch for the immediate threat and added a representative to the OSEHRA team. The Indian Health Service, whose Resource and Patient Management System (RPMS) also appeared vulnerable, added their own representative to the team. The OSEHRA patch included some collaborative features and, after the VA quickly distributed its own patch for distribution, use the OSEHRA version.
“We’re very proud of both the process and the outcome here,” said Dr. Seong Ki Mun, CEO of OSEHRA. “A single interested individual found a vulnerability that impacted the entire community. Every VistA user can use the resulting patch to improve security for their patients. The level of cooperation among agencies, companies, and individuals was unprecedented, and demonstrates the real power of the open source community.”