Critical security flaws found in popular medical records software
medical record security flaw

Critical security flaws found in popular medical records software

The world’s most widely-used open-source electronic health records solution OpenEMR has been found to contain 18 cybersecurity vulnerabilities. The software, employed by medical practices across the world, currently holds almost 100 million patient records, including 10 million in the USA.

The flaws were uncovered by cybersecurity research organisation Project Insecurity. The investigation team released a report on their findings after giving OpenEMR developers a month to patch the issues, in a process known as responsible disclosure.

Amongst the vulnerabilities was a flaw marked ‘critical’ that allows an unregistered user to easily bypass the portal authentication process simply by navigating to the registration page and modifying the requested URL to access the desired page.

Pages made accessible through this method included patient profiles, records and documentation, lab results, medications, chat and messaging services, and the payments portal.

The flaw not only opened the web application to SQL injection (which can be leveraged to view data from a target database or perform a variety of other database functions), but also gave attackers the ability to view and alter patient records.

There were also over a dozen high, medium and low severity flaws, including, instances of SQL injection, unathenticated information disclosure, unrestricted file upload and remote code execution.

As well as offering a medical record system, OpenEMR features patient demographics, scheduling, prescriptions and billing – all if which were made vulnerable by the flaws.

Electronic medical records

When asked why Project Insecurity decided to code audit OpenEMR, CEO Matt Telfer told

We’ve seen a lot of medical-related breaches in the media lately and it made us think about the entire transition from regular handling of medical records to them being dealt with electronically and the security implications of that, so we decided to look into EMR/EHR systems.

“After some googling we found that OpenEMR was the most widely-deployed open-source electronic medical record application on the internet. And the fact that it’s open source meant that we could test it without any negative legal implications.”

The BBC reports that OpenEMR is “thankful” for Project Insecurity’s work and had now patched many of the bugs that had been exposed.

“The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication,” OpenEMR project administrator Brady Miller said.

Internet of Business says

Despite the commendable work it is doing, Project Insecurity has morally dubious origins. Its founder is an ex grey hat computer hacker, who operated under the pseudonym MLT and was arrested in 2012 for his involvement with the hacking group TeaMp0isoN. The group was responsible for several high-profile attacks on websites including the UN, Facebook, NATO, Blackberry and T-Mobile USA.

Since then, the reformed hacker has focused on legitimate security research, including bug bounty programs, identifying flaws on sites including eBay and the US Department of Defence, before founding Project Insecurity.

The organisation now works alongside reformed blackhat hackers, believing that, having been on the other side, such individuals are best placed to identify security vulnerabilities.

The security flaws discovered in OpenEMR reflect poorly on a system that should, given the sensitive and critical nature of its function, maintain the highest security standards. However, the software company, and its many users all over the world, will be grateful that it was able to respond quickly to the report, thereby enabling the free open-source software to continue supporting healthcare providers through its volunteers and contributors, and offer a compelling alternative to proprietary solutions.

With healthcare organisations amongst the biggest targets of hackers, this should serve as a warning to other companies in the space to redouble their efforts to ensure their digital products and networks are secure.

While IoT and digital transformation is helping to improve patient care and modernise healthcare procedures, the shift brings with it a whole host of new security concerns. We’re now seeing the likes of Zingbox and Nuvolo team up to help combat healthcare IoT cyberthreats.