News: A Flaw in the VA’s Medical Records (VistA) Platform May Put Patients at Risk

[Kekoa]

Link to story... https://www.wired.com/story/va-vista-medical-records-flaw/

Sadly, this isn't news to me or some of you. From within the walls, this is about leadership being held accountable for their indecisions and to not hold to the VA's ICARE values when pressed.

I have spoken up, I have been ignored. 

There are multiple vulnerabilities in VistA - this is just the tip of the iceberg folks. I feel like this will become the hit piece that pushes VistA off the cliff to prop up Cerner no matter the cost.

[Sam Habiel]

If I am guessing on what he means by the vulnerability, fixes have been developed inside the VA, but they have never been deployed.

--Sam

--
--
http://groups.google.com/group/Hardhats
To unsubscribe, send email to Hardhats+u...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "Hardhats" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hardhats+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hardhats/526e5bd4-6c78-448f-83bc-b3606e629108n%40googlegroups.com.

[ivaldes]

It is a trivial exercise to run all traffic over a ssh tunnel. Furthermore, firewall whitelisting and virtualizing CPRS in a browser adds even more protection. Astronaut has had this for many years. Raphael Richards demonstrated this capability at the 2021 VistA meeting. It had mil-spec security certification. You would have to **get** to the VA internal network to do a man-in-the-middle attack. Good luck.  I find this article to be far-fetched. I haven't read Wired in a long time. It looks like their reporting has declined. 

-- IV

[Nancy Anthracite]

This issue has been recognized and dealt with for very a long time, in and outside the VA.  I had someone pestering me about it in the docker images we have as well until I had to put a note that we knew about it and these were just demo systems.  I guess it makes good press once in a while, but if they had asked about it, we could have told them not to bother reporting it.  But then, I am sure there would have been great reluctance to suppress a story.

--

Nancy Anthracite

[Kekoa]

Back when the Hui existed, 2005?, my colleague Lance built a CPRS installer that would funnel CPRS traffic through a SSL socket. Yes, it has been dealt with outside the VA.

Remind me again - how has this has been dealt with in the VA?

I'm attending VA meetings and they have the same "nothing to see here folks, this is not an issue" attitude. To see similar rhetoric here is disappointing. 

[Kevin Toppenberg]

I am an outsider, so I don't have a dog in this race.  But my perception is that this is kind of like telling your grandfather that his car won't win in a race anymore.  I've been on VA campuses where most of the building were older and repurposed from decades past.  Why not tear them all down and build new ones?  Why not put in a skyscraper with express elevators?  Why?  Because the government is trying to be frugal with tax payer money, and do the best job they can with the resources they have.  So now take VistA.  It is likewise a product of decades past.  Yes it has undergone continual improvement.  But there are still parts that can definitely be improved.  I think I am preaching to the choir when I say that the VA administration seems to have purposely put themselves in this position when they tried to freeze the code base and stop further development.  And then, given enough time, sure enough -- those areas that were not improved are now lacking in the latest and greatest technologies.  

So I guess I wouldn't say that it's a "nothing to see here folks, this is not an issue" attitude.  But rather an understanding that the alternative is to spend 50 billion dollars on a replacement.  Money that would be better spent helping veterans other ways. I agree that this article seems like a hit piece.  Kind of like trying to shift attention away from the huge amount of money being spent on VistA's replacement.  But there is NO way that I would ever want to try to head up such a project.  Its like there is no solution that can check all the boxes. 

Kevin

[ivaldes]

Maintenance is nearly always much cheaper than replacement by far.  Oil change $30, gasket replacement is usually a few hundred dollars every 10-15 years, burnt engine overhaul $4,000-$5,000 or more.