Popular healthcare software OpenEMR contained multiple security flaws

Popular healthcare software OpenEMR contained multiple security flaws

Popular healthcare software OpenEMR contained multiple security flaws

As many as 30 security vulnerabilities were discovered by security researchers in OpenEMR, the most popular open-source electronic medical record, and medical practice management solution in the world.

If exploited, these flaws could allow hackers to carry out multiple remote code executions, multiple SQL injections, bypass portal authentication, upload files without any restrictions, and to carry out unauthenticated administrative actions.

Considering that OpenEMR, which is a free and open-source software, allows hospitals, clinics, and other healthcare institutions to maintain electronic medical records, schedule appointments, manage practices, and carry out electronic billing, it is used by hundreds of healthcare institutions across the world that cater to nearly 100 million patients.

Multiple vulnerabilities

In July, researchers at security firm Project Insecurity discovered as many as 30 vulnerabilities in OpenEMR that could put health records of millions of people at risk of breach. According to the researchers, the vulnerabilities included “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”

For instance, a hacker could bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested URL to access the desired page. This way, the hacker could access secure chats, patient reports, details of medications, allergies, problems, and lab results.

A hacker could also carry out an SQL injection to view data from a target database or to perform database functions without having to undergo authentication on the Patient Portal. The researchers also demonstrated how hackers could carry out multiple SQL injections for various purposes.

Upon being informed by Project Insecurity about the vulnerabilities, OpenEMR pushed out an update on 20th July which fixed all existing vulnerabilities and thanked the researchers for highlighting the flaws. Project Insecurity published the vulnerability-testing report earlier today as per a 30-day disclosure agreement.

Securing healthcare systems a must

Commenting on the discovery of multiple vulnerabilities in OpenEMR, Keith Graham, CTO at SecureAuth + Core Security, said that since organisations such as OpenEMR system who handle sensitive data are a prime target for attackers globally, they cannot afford to have any gaps in their cybersecurity.

“Healthcare is now the most vulnerable industry to data breaches, with 328 breaches reported in 2017 alone (accounting for 60% of all breaches last year). And the total estimated cost of these breaches is skyrocketing.

“Keeping data available, confidential and safe isn’t just a business issue – it allows healthcare personnel to provide the best patient care possible. Strong access control is essential for informed treatment and optimal patient outcomes. In life and death situations cybersecurity shouldn’t be hindering medical professionals from doing their jobs, but it can no longer afford to take a backseat.

“In this case, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring that the right people are accessing the right information at the right time.

Graham added that the discovery should act as a warning to other healthcare organisations to examine their own cybersecurity posture (including extensive pen testing) and improve their approach to authentication. One that provides the maximum protection available, by bringing context to the authentication process that enables a rapid response to evolving threats, as well as taking additional factors such as geographic location analysis, device recognition and IP address based threat services into account.


Half of NHS trusts in England hit by ransomware in the last year

KPMG survey shows 81% of health care firms been cyber-attacked

10.5 million US customer details stolen in healthcare company hack

NHS-accredited health apps fail to protect personal data

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]