Popular healthcare software OpenEMR contained multiple security flaws

Popular healthcare software OpenEMR contained multiple security flaws

Popular healthcare software OpenEMR contained multiple security flaws

As many as 30 security vulnerabilities were discovered by security researchers in OpenEMR, the most popular open-source electronic medical record, and medical practice management solution in the world.

If exploited, these flaws could allow hackers to carry out multiple remote code executions, multiple SQL injections, bypass portal authentication, upload files without any restrictions, and to carry out unauthenticated administrative actions.

Considering that OpenEMR, which is a free and open-source software, allows hospitals, clinics, and other healthcare institutions to maintain electronic medical records, schedule appointments, manage practices, and carry out electronic billing, it is used by hundreds of healthcare institutions across the world that cater to nearly 100 million patients.

Multiple vulnerabilities

In July, researchers at security firm Project Insecurity discovered as many as 30 vulnerabilities in OpenEMR that could put health records of millions of people at risk of breach. According to the researchers, the vulnerabilities included "a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions."

For instance, a hacker could bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested URL to access the desired page. This way, the hacker could access secure chats, patient reports, details of medications, allergies, problems, and lab results.

A hacker could also carry out an SQL injection to view data from a target database or to perform database functions without having to undergo authentication on the Patient Portal. The researchers also demonstrated how hackers could carry out multiple SQL injections for various purposes.

Upon being informed by Project Insecurity about the vulnerabilities, OpenEMR pushed out an update on 20th July which fixed all existing vulnerabilities and thanked the researchers for highlighting the flaws. Project Insecurity published the vulnerability-testing report earlier today as per a 30-day disclosure agreement.

Securing healthcare systems a must

Commenting on the discovery of multiple vulnerabilities in OpenEMR, Keith Graham, CTO at SecureAuth + Core Security, said that since organisations such as OpenEMR system who handle sensitive data are a prime target for attackers globally, they cannot afford to have any gaps in their cybersecurity.

"Healthcare is now the most vulnerable industry to data breaches, with 328 breaches reported in 2017 alone (accounting for 60% of all breaches last year). And the total estimated cost of these breaches is skyrocketing.

"Keeping data available, confidential and safe isn’t just a business issue – it allows healthcare personnel to provide the best patient care possible. Strong access control is essential for informed treatment and optimal patient outcomes. In life and death situations cybersecurity shouldn’t be hindering medical professionals from doing their jobs, but it can no longer afford to take a backseat.

"In this case, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring that the right people are accessing the right information at the right time.

Graham added that the discovery should act as a warning to other healthcare organisations to examine their own cybersecurity posture (including extensive pen testing) and improve their approach to authentication. One that provides the maximum protection available, by bringing context to the authentication process that enables a rapid response to evolving threats, as well as taking additional factors such as geographic location analysis, device recognition and IP address based threat services into account.


Half of NHS trusts in England hit by ransomware in the last year

KPMG survey shows 81% of health care firms been cyber-attacked

10.5 million US customer details stolen in healthcare company hack

NHS-accredited health apps fail to protect personal data

Copyright Lyonsdown Limited 2021

Top Articles

WhatsApp's New Privacy Policy Deadline Has Arrived

At the start of 2021, WhatsApp announced its privacy policy updates, sparking outrage and backlash from its consumers as WhatsApp will share personal information with its parent company, Facebook.

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

Related Articles