Vulnerable software puts healthcare records at risk
Health records of nearly 100 million patients around the world were put at risk due to 18 security vulnerabilities found in OpenEMR, an open-source patient and practice management system.
In a report, Project Insecurity, which discovered the bugs, said among the vulnerabilities was an easy bypass of the patient portal authentication, needing only a modified URL to access confidential information.
There were also multiple instances of SQL injection, as well as remote code execution, unauthenticated information disclosure, unauthenticated administrative actions, and unrestricted file upload.
In addition, the researchers found cross-site request forgeries (CSRFs), including a CSRF to remote code execute a proof of concept. A CSRF is an attack that forces an end-user to execute unwanted actions on a Web application in which they're currently authenticated.
Project Insecurity notified OpenEMR and allowed it to patch the bugs before releasing its report.
No evidence of misuse
OpenEMR is one of the most widely used electronic medical record (EMR) platforms in the world, holding the records of almost 100 million patients. While there is no evidence of a breach, or that any records were stolen or misused, researchers say the data exposure is concerning.
Medical facilities that use OpenEMR have been advised to update their systems as soon as possible, if they have not already done so.
OpenEMR said in a statement: "The OpenEMR community is thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security. Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability high priority since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched."
More bugs likely
Ilia Kolochenko, CEO of Web security company High-Tech Bridge, says ongoing research of popular open source software conducted by his organisation suggests that many more bugs likely remain undetected.
"Nonetheless, the remediated vulnerabilities definitely bring OpenERM to a better overall security level and probably even cover some zero days exploited in the wild by cybercriminals."
However, he says there is still a risk to patients and their data, if healthcare institutions unreasonably delay patching or don't patch at all. "Attackers will certainly start exploiting the vulnerabilities soon, as health records can be traded at a very attractive price on the black market."