OSEHRA Community Response to Cybersecurity for VistA

The OSEHRA Community Response on Cybersecurity for VistA is now available for review and comment.

The response addresses the four keys questions from VA:

  1. Does the open source community have a focus on cyber security?
  2. Are projects to enhance cybersecurity proposed to OSEHRA by the open source community? If so, have any been completed?
  3. Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT?
  4. What is the relationship of OSEHRA certification to cybersecurity?  

VA has directed that OSEHRA form a VistA Security Technical Working Group as part of our open source support contract.  Details and charter are currently being defined.  Community participation will be solicited.  Further information on this and other aspects of the contract will be provided on our April Webinar call on Tuesday, April 19.  Register now to attend.

I thank our community members who contributed to this important effort.

Seong K. Mun, PhD
President and CEO, OSEHRA





MUMPS' structural security advantages

David Kimball's picture

We should mention that memory mis-management (of the sort that caused the Heartbleed bug in SSL) and string-buffer overruns are impossible in MUMPS, while SQL injection is impossible if using a MUMPS database and unlikely (at least compared to C) even when using an SQL back-end. These three dangers (memory, string buffers, SQL injection) are the low-hanging fruit that attackers seek out first, and are probably the three main causes of cybersecurity issues. (The Anthem data breach in 2014 was a straightforward SQL injection, for example.)

There's one mainstream vulnerability that we do potentially share, though. Are we encrypting our databases?


OSEHRA Security Group

Coretta Cobalt's picture

First, I think this is an important step forward.  I'm new to the OSEHRA discussions, but have worked within commercial EHR environments since 2011 and understand the importance of the topic of security from the Health IT perspective.  I worked prior to my healthcare experience in software across various industries and security has always been an element.

Why this discussion is important to me is that I am currently experimenting with encryption at the routine level (Intersystem's Cache, ANSI M) via lib zaesenc & zaesdec, for example.  While we have various layers of security from the network down to the Cache servers, we always want to identify other methods that could lend to more secure systems.  While encrypting/decrypting data at the routine level may appear overkill, I'm slowly trying to gather use cases where it's actually useful, as long as the CPU cycles expended are not a detriment to the system.

I'm eager to read this document and to see what the VistA Security Technical Working Group accomplishes.