OpenEMR flaws left millions of health records exposed

A total of 23 critical vulnerabilities were left unpatched until last month

Clinician's computer meltdown

Critical security flaws in the widely-used OpenEMR health records storage system left millions of patient records vulnerable, researchers have revealed.

A host of flaws in version 5.0.1.3 of the open source system used by organisations across the world - including a portal authentication bypass, instances of SQL injection, as well as remote code execution - left the records of more than 90 million patients vulnerable.

Advertisement - Article continues below

The 23 issues - many described as 'high risk' - outlined in a vulnerability report were discovered by a team of seven cyber security experts from Project Insecurity who manually reviewed OpenEMR's source code without the use of any automated analytical tools.

The researchers brought these vulnerabilities to the developer's attention last month, before the vendor released an update fixing the vulnerabilities less than two weeks later on 20 July. Full disclosure of the vulnerabilities were made yesterday as per an agreement between OpenEMR and Project Insecurity.

"We've seen a lot of medical-related breaches in the media lately and it made us think about the entire transition from regular handling of medical records to them being dealt with electronically and the security implications of that," said Project Insecurity's CEO Matt Telfer, speaking with databreaches.net.

Advertisement
Advertisement - Article continues below

"After some googling we found that OpenEMR was the most widely-deployed open-source electronic medical record application on the internet. And the fact that it's open source meant that we could test it without any negative legal implications."

The research team also issued a number of recommendations the developers could deploy to prevent further exploitation in future, including PHP modifications to prevent SQL injection attacks, and blacklisting malicious extensions to mitigate the risk of unrestricted file uploads.

Advertisement - Article continues below

Project Insecurity's chief financial officer Brian Hyde told IT Pro the team wasn't able to say whether malicious actors had already taken advantage of the frailties, but added a dedicated hacker would have been able to find them "in a rather trivial manner".

He added some of the exploits "could have potentially been there since the very first release of OpenEMR".

OpenEMR is one of the world's most widely-used systems for storing medical records and managing medical practices, and boasts thousands of downloads each month.

The open source system is predominantly used in the US, and on Windows devices, but is also popular in a host of other countries including India, and Honduras. OpenEMR does have a presence in the UK - but it is not as widely-used; only 19th in most downloads by country in the last five years.

Concerns over the security of patient data have never been higher - particularly as health records across the NHS are increasingly being stored digitally. Speaking with IT Pro in June, experts highlighted the risks of migrating patient data to the public cloud, claiming patients would be put at risk if cloud migration is done purely as a cost-saving exercise.

Advertisement - Article continues below

NHS Digital told IT Pro OpenEMR is not used from a national perspective, but local organisations are able to procure their own systems from a variety of suppliers.

It is unlikely OpenEMR is used in the NHS, the spokesperson added, due to its exclusion from the main channels through which Primary and Secondary Care organisations procure their services.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020