Student discovery leads to security patch for VistA

A discovery by a graduate student of a security gap in VistA's open source electronic health record software has enabled organizations to work together to create a patch for it, according to an article in

Georgia Institute of Technology student Doug Mackey, who was reviewing the code in an open source version of VistA for a school project, found a gap that appeared could allow a sender of messages to exercise remote commands without authentication, according to the article. VistA contacted the Open Source Electronic Health Records Agent (OSEHRA), which hosts software repositories for VistA and other applications, to put together a collaborative effort to create and test a patch to correct the security gap.

The patch has now been distributed to Veterans Affairs and Indian Health Services sites.

"We're very proud of both the process and the outcome here," Seong Ki Mun, CEO of OSEHRA, said in a statement. "A single interested individual found a vulnerability that impacted the entire community. Every VistA user can use the resulting patch to improve security for their patients.

"The level of cooperation among agencies, companies, and individuals was unprecedented, and demonstrates the real power of the open source community."

Advocates of open source EHR systems such as VistA claim that they are better than closed proprietary systems in terms of development, innovation and continuous quality improvement. The U.K. announced earlier this year that it is considering adoption of an open source EHR such as VistA.

To learn more:
- read the article
- here's the OSEHRA announcement