100 million health records at risk

A team of seven researchers has discovered more than 20 security vulnerabilities in OpenEMR, an open-source application used worldwide for the electronic management of the medical records of almost 100 million people.

Tomas Foltyn

In keeping with the principles of responsible disclosure, the researchers at Project Insecurity notified OpenEMR’s developers of the security holes well in advance before going public with their findings. This allowed the developers to release an update on July 20 5.0.1.4 that resolves the bugs. The team’s findings are detailed in this vulnerability report, describing holes in the software’s previous version (5.0.1.3).

Interestingly, the researchers didn’t rely on any automated testing tools to identify the security holes – most of which were deemed severe. “The vulnerabilities disclosed in this report were found by manually reviewing the source code and modifying requests with Burp Suite Community Edition, no automated scanners or source code analysis tools were used,” they wrote.

Most importantly, among the bugs was one that allowed for an easy bypass of the patient portal authentication. “An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested url to access the desired page,” reads the report.

Speaking to DataBreaches.net, the firm’s Red Team Lead Cody Zacharias said: “The authentication bypass vulnerability was the most significant vulnerability our team discovered because not only does it open the web application to SQL injection, but also it gives the attacker the ability to view and tamper with a person’s records affecting both the privacy and the integrity of the EMR.”

In addition, the team discovered a slew of remote code execution flaws and multiple instances of SQL injection vulnerabilities. OpenEMR was also left open to attack through arbitrary read, write, and deletion vulnerabilities, an unrestricted file upload vulnerability, as well as by dint of several cross-site request forgery bugs that allowed for remote code execution.

Project Insecurity CEO Matt Telfer had this to say to DataBreaches.net about why they’d chosen to pore over OpenEMR’s code: “We’ve seen a lot of medical-related breaches in the media lately and it made us think about the entire transition from regular handling of medical records to them being dealt with electronically and the security implications of that, so we decided to look into EMR/EHR systems. After some googling we found that OpenEMR was the most widely-deployed open-source electronic medical record application on the internet. And the fact that it’s open source meant that we could test it without any negative legal implications.”

Meanwhile, CEO of OpenEMR.org Brady G. Miller has voiced his appreciation for Project Insecurity’s initiative: “The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR’s security. Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects.”

Needless to say, health care institutions that use OpenEMR are well advised to update their systems if they haven’t already done so.

Written by Tomas Foltyn, security writer at ESET