A large number of vulnerabilities in OpenEMR enabled
attackers to access patients' health records, see data from a target databases,
raise their access on the server, execute system commands, and that's only the
tip of the iceberg.
What is OpenEMR?
OpenEMR is a free and open source electronic health records
and healthcare practice management software.
It is believed that more than 15000 healthcare organization across
the globe use openEMR as their electronic medical records solution. The number
of patient records managed through openEMR is estimated to be more than 100
million.
OpenEMR vulnerabilities
The revelation of the vulnerabilities was the result of a
manual survey of the software's source code and modifications request with Burp
Suite Community Edition. The researchers – all working with cyber security
outfit Project Insecurity – did not utilize automated scanners or any source
code analysis tools.
The vulnerabilities they found in OpenEMR v5.0.1.3
incorporated an portal authentication bypass, SQL injection and remote code
execution bugs, unauthenticated information divulgence, unhindered document
transfer, CSRFs, and unauthenticated administrative actions.
The portal authentication bypass is the most dangerous one
as it would have permitted (unauthenticated) users (or attackers) to view and modify
an individual's health records. Accessing those records was as straightforward
as exploring the registration page and modifying the url to access the required
page.
"Some of the data which could be stolen because of this
imperfection are patient demographics, all Medical Records, prescriptions and
medical billing data, appointments scheduled and much more" Cody
Zacharias, Red Team, told DataBreaches.net.
More insights regarding the vulnerabilities, the vulnerable
code, and some POCs can be found in this report.
OpenEMR Remediation
The researchers revealed their discoveries to the software vendors
and waited up to a month before they unveiled them to the public. They also offered
advice on changes for remediating the defects.
“The OpenEMR community is very thankful to Project
Insecurity for their report, which led to an improvement in OpenEMR’s security.
Responsible security vulnerability reporting is an invaluable asset for OpenEMR
and all open source projects,” noted Brady G. Miller, CEO of OpenEMR.org.
“The OpenEMR
community takes security seriously and considered this vulnerability high
priority since one of the reported vulnerabilities did not require
authentication. A patch was promptly released and announced to the community.
Additionally, all downstream packages and cloud offerings were patched.”
OpenEMR.org is known to rush to respond to responsible
powerlessness revelation and be appreciative to researchers who go out of the
way to jab through the software for security defects.
The way that the software is open source is something that
prodded Project Insecurity to devote their opportunity to inspecting the code,
as it implied that they could test it with no negative legal ramifications.
The best possible plan of action seems to be switching to a more prominent EHR system, rather than opting for openEMR. Of course there are several secure openEMR systems like ZH healthcare's ZH openEMR, but security is something that can be compromised with open source systems.
EmoticonEmoticon