OpenEMR patches security bugs that put millions of patient records at risk

Security researchers notified the open source EHR managing software of nearly 30 critical vulnerabilities – the second set of vulnerabilities found in a year.
By Jessica Davis
02:57 PM
Share
cybersecurity authentication logs on computer screen

A sample screen snap of authentication logs. Researchers found OpenEMR vulnerabilities easily let anyone bypass the patient portal authentication with unrestricted upload errors.

Millions of patient records were potentially left vulnerable to attack by more than 20 vulnerabilities discovered by cybersecurity researchers from Project Insecurity.

The widely used open source EHR management platform is used across the world by thousands of providers and small healthcare organizations for lab integration, CMS reporting, scheduling and storing records. Up until OpenEMR addressed the issues, the platform had 18 severe vulnerabilities.

As a result, Project Insecurity held its report until OpenEMR was able to address the findings.

Included in the list of bugs: A flaw that would easily let anyone bypass the patient portal authentication by navigating to the registration page and changing the URL to access the desired page. The researchers provided a list of all portal directory pages that would open to the hacker, including patient profiles.

The researchers also discovered multiple instances of SQL injection, which can be leveraged to view data from a targeted database or to perform other tasks like performing database functions. There also were many security issues that could have led to remote code execution and others that could have disclosed data.

OpenEMR’s management system also was open to compromise by hackers through unrestricted upload errors, unauthenticated information disclosure and unauthenticated administrative actions, among others.

All vulnerabilities required no automated scanning or source code analysis tools. The researchers found them by just manually reviewing the source code and modifying requests. If found by a hacker, they could access patient records, compromised databases and sensitive system data, and elevate privileges, upload files and more.

Researchers set up a test lab to examine the platform, as OpenEMR was warned of system flaws by Risk Based Security in November 2017. That report found a configuration vulnerability that could expose a system to complete compromise.

Patches have been released to cloud customers and users. OpenEMR released an update to resolve these issues on Aug. 7.

Given the severity of the target on the healthcare sector, this disclosure is more than alarming. Platform vulnerabilities and failed patches are giving hackers an even easier way to get into private data. Patch management and monitoring are crucial to shore up these flaws.

Healthcare Security Forum

The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com