Popular healthcare software OpenEMR contained multiple security flaws
August 7, 2018
As many as 30 security vulnerabilities were discovered by security researchers in OpenEMR, the most popular open-source electronic medical record, and medical practice management solution in the world.
If exploited, these flaws could allow hackers to carry out multiple remote code executions, multiple SQL injections, bypass portal authentication, upload files without any restrictions, and to carry out unauthenticated administrative actions.
Considering that OpenEMR, which is a free and open-source software, allows hospitals, clinics, and other healthcare institutions to maintain electronic medical records, schedule appointments, manage practices, and carry out electronic billing, it is used by hundreds of healthcare institutions across the world that cater to nearly 100 million patients.
In July, researchers at security firm Project Insecurity discovered as many as 30 vulnerabilities in OpenEMR that could put health records of millions of people at risk of breach. According to the researchers, the vulnerabilities included "a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions."
For instance, a hacker could bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested URL to access the desired page. This way, the hacker could access secure chats, patient reports, details of medications, allergies, problems, and lab results.
A hacker could also carry out an SQL injection to view data from a target database or to perform database functions without having to undergo authentication on the Patient Portal. The researchers also demonstrated how hackers could carry out multiple SQL injections for various purposes.
Upon being informed by Project Insecurity about the vulnerabilities, OpenEMR pushed out an update on 20th July which fixed all existing vulnerabilities and thanked the researchers for highlighting the flaws. Project Insecurity published the vulnerability-testing report earlier today as per a 30-day disclosure agreement.
Securing healthcare systems a must
Commenting on the discovery of multiple vulnerabilities in OpenEMR, Keith Graham, CTO at SecureAuth + Core Security, said that since organisations such as OpenEMR system who handle sensitive data are a prime target for attackers globally, they cannot afford to have any gaps in their cybersecurity.
"Healthcare is now the most vulnerable industry to data breaches, with 328 breaches reported in 2017 alone (accounting for 60% of all breaches last year). And the total estimated cost of these breaches is skyrocketing.
"Keeping data available, confidential and safe isn’t just a business issue – it allows healthcare personnel to provide the best patient care possible. Strong access control is essential for informed treatment and optimal patient outcomes. In life and death situations cybersecurity shouldn’t be hindering medical professionals from doing their jobs, but it can no longer afford to take a backseat.
"In this case, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring that the right people are accessing the right information at the right time.
Graham added that the discovery should act as a warning to other healthcare organisations to examine their own cybersecurity posture (including extensive pen testing) and improve their approach to authentication. One that provides the maximum protection available, by bringing context to the authentication process that enables a rapid response to evolving threats, as well as taking additional factors such as geographic location analysis, device recognition and IP address based threat services into account.
Jay Jay is a freelance technology writer for teiss. He has previously written news articles, device reviews and features for Mobile Choice UK website and magazine, as well as writing extensively for SC Magazine UK, Tech Radar, Indian Express, and Android Headlines.