In late July, a VistA security vulnerability was discovered in the M2M Broker by a graduate student named Doug Mackey as part of an academic exercise at Georgia Tech. The VISTA Expertise Network validated the vulnerability for some VistA configurations, and contacted OSEHRA to coordinate a community response. A special open-source project group called the Special Software Enhancement Project (SSEP) was formed. Operating under non-disclosure agreements (industry best practice in handling zero-day exploits), OSEHRA members and collaborating partners (including VA and IHS) worked jointly to create and test an applicable patch. The patch introduces a new variable to designate whether the M2M Broker is required. For example systems utilizing the DICOM Gateway would require the broker. Where the broker is required, the patch corrects the security deficiency. Otherwise, the broker is disabled. NOTE: if your site is a multi-divisional site, please contact Mike Henderson at firstname.lastname@example.org for additional information prior to patch installation.
OSEHRA is pleased to report the completion of this effort, and the successful distribution of patches to the impacted Veterans Affairs and Indian Health Service sites. The OSEHRA patch is now available for download at http://files.osehra.org/SSEP/. This represents completion of the SSEP charter and the SSEP, as such, is dissolved. This action removes all restrictions for those who have signed Non-Disclosure Agreements on this subject.
OSEHRA is grateful for the support received from its members in addressing this issue, and for the cooperation of all NDA signatories in controlling the dissemination of information on this issue.