How a Flaw in VA Software Was FoundResearcher Describes 'Adversarial Security Analysis'
"It's very important to conduct proper adversarial security analysis of your software in addition to penetration testing," he says.
Mackey, a former security analyst for Australia's Department of Defense, conducted his research on the VA's open source software as part of his graduate work in information security at the Georgia Institute of Technology.
The vulnerability he discovered in the VA's Veterans Health Information Systems and Technology Architecture software was related to its remote messaging capabilities, he says. The flaw was introduced into the software in 2002 and remained undetected for more than a decade until Mackey identified it in June, he claims.
"It's only when you have someone who comes in and imagines that they are some kind of adversary ... that such vulnerabilities are found," Mackey explains in an interview with Information Security Media Group.
"If you have an open source product with a vibrant community around it, this experience shows that open source allows interested independent researchers to contribute important insights to the software, which wouldn't be possible with proprietary source [code software]," he says.
"If this system was proprietary, this vulnerability may never have been found. On the down side, opening up software to the whole world ... also allows potential malicious actors significant insight into your system."
Once the vulnerability was brought to the attention of VistA developers at the VA, the department collaborated with developers from the non-profit group Open Source Electronic Health Record Agent, or OSEHRA, to develop a patch for the security vulnerability, he says. Georgia Tech and OSEHRA jointly publicized the discovery and the patch.
In the interview, Mackey also describes:
- How he discovered the security flaw in VistA, an integrated inpatient and outpatient EHR used for years by tens of thousands of clinicians for the care of millions of VA patients;
- The potential security risks that the vulnerability - if exploited - presented to VA systems, as well as the potential privacy and safety risks posed to patients;
- Lessons learned from the investigation.
The VA, the largest U.S. provider of healthcare, did not respond to Information Security Media Group's requests for comment on the VistA vulnerability discovered by Mackey, or its subsequent software patch to address the flaw. The VA and Department of Defense are working on plans for integrating VistA and the DoD's EHR systems (see: VA, DoD EHR Project: Security Game Plan).
Mackey, who was an analyst for Australia's Department of Defense for more than 10 years, helped to develop the nation's cyberdefense capability before moving to the U.S. to pursue a master's in information security at Georgia Tech. As an independent information security analyst, he has published several papers on international cyberpolicy issues. He holds a CISSP certification and has a bachelor's degree in theoretical physics from the Australian National University.