The Department of Veterans Affairs knew of significant security weaknesses in its main electronic health record system that would allow anonymous users to access patient data and other sensitive information in direct violation of existing policies and federal privacy laws, according to an internal security briefing obtained by FedScoop.
According to a so-called “Decision Briefing” by VA’s Field Security Service, the Office of Information Security briefed senior VA managers in April 2013 on threats posed by anonymous user access to the Veterans Integrated System Technology Architecture — the automated system that supports the day-to-day functions of VA’s nationwide network of hospitals and clinics and is now at the center of the secret wait list scandal currently under investigation — known as VistA.
“VistA and external systems/applications have created designs which result in anonymous user access/interaction with VistA applications and patient healthcare data and will extend to other sensitive/confidential areas,” the briefing document states. “Since the end user is anonymous to VistA, there is no roles based authorization restriction imposed on users.”
According to the brief, the absence of such basic security controls “compromises existing VA access, authorization, auditing and privacy controls…contradicts VA Directives and policy…[and] violates current information security and privacy legislation and regulations.”
FedScoop reached VA for comment, but the agency said it needed more time to get answers from officials.
A slide from an April 2013 VA Field Security Service Decision Briefing shows the lack of identity management and audit capabilities in VistA.
Two former VA officials who reviewed the documents said senior VA officials have known for more than a year that VistA was insecure and vulnerable to insider manipulation — the same type of manipulation that for the past decade may have allowed VA managers to anonymously “game the system” by making wait times appear shorter than they actually were.
“This is a huge, basic, fundamental security hole,” said a former VA cybersecurity specialist, who spoke to FedScoop on condition of anonymity. “When I read this, all I can see is that VA doesn’t even know who is logging on to their systems,” the former official said.
“VistA is highly vulnerable to insider manipulation,” said a former VA contractor with detailed knowledge of the briefing document. “Security is horrible on VistA. Having worked for many years at VA, everyone knew that VistA had serious issues with security and people regularly manipulate the systems because of very weak access controls.”
The former officials who spoke to FedScoop pointed to what they considered obvious failures of oversight by VA’s inspector general and the Federal Information Security Management Act auditing process, known as FISMA. VA has yet to issue their 2013 fiscal year FISMA report, which many other agencies released in November of last year. But the issue of identity management and access control begins to appear more prominently in VA’s 2012 FISMA audit report.
According to the former VA security specialist, VA should have had basic security mechanisms in place, such as identity management, separation of duties and audit logs.
“It looks like none of these were in place so ‘gaming’ the system was simple to do,” the official said.
Robert A. Petzel, VA’s undersecretary for health, acknowledged that the agency has been aware of the user access abuses on VistA during a May 15 hearing of the Senate Committee on Veterans Affairs.
“We have been working continuously to try to identify where those sites are and how to prevent them from happening,” Petzel said.
But VA sources acknowledge that even if the agency was actively auditing VistA, the system was not capable of alerting security officials to unusual user behaviors or unauthorized access. As late as 2009, information security officers used an automated script to log access to veterans health records. The script was designed by VA security officers in Florida. An information security officer would then be assigned the task of reviewing the lists created by the script and reporting anything that looked unusual, according to sources.
The inspector general’s
interim report on its investigation into the scheduling practices of VA’s Phoenix healthcare system, released May 28, identified multiple types of scheduling practices that violated agency policy. But the security briefing document also lays out the “consequences” of VistA’s current state of anonymity.
The lack of security controls “prevents VA from ensuring the safety and privacy of Veteran healthcare and benefits information,” according to the document. It also “contradicts VA policy…prohibiting creation and use of generic user definitions in computing environments” and is “likely in violation of laws and regulations,” such as the Health Insurance Portability and Accountability Act, which grants patients the right to know who has accessed their medical records and requires healthcare providers to limit information access according to role-based authorization logic.
The briefing document recommended that VistA be modified to “facilitate” identity and access management solutions and called upon VA to “establish policies and governance to prevent un-auditable access methods.” VA was also urged to fix all “consumer applications” that may have been impacted by the vulnerabilities and also to develop a method for “tracking rogue transactions.”
A 2013 briefing from VA’s Office of Information Security shows the current level of risk posed by VistA’s anonymous user vulnerability.
