A research team found 20 security
flaws in OpenEMR, a commonly used
software program for the running
of EHRs

Research team uncovers 20 security flaws in widely used EHR software

August 15, 2018
by John R. Fischer, Senior Reporter
A team of researchers may have just saved the data of millions worldwide from potential cyber threats with their discovery of more than 20 vulnerabilities in a software program commonly used to support EHRs.

Calling itself Project Insecurity, the team uncovered the security flaws within OpenEMR version, an open-source software, with issues ranging from SQL injection flaws to a bypass technique for portal authentication. In response, OpenEMR has since released an update of their software to patch all bugs found.

"This discovery is just one of many examples of the issues faced in regard to the medical industry in general," Matt Telfer, chief executive officer for Project Insecurity, told HCB News. "Personally, I'd say open-source software is the least of our worries. At least with the likes of OpenEMR, someone educated in the field of security can analyze the source code and make an educated decision as to whether it's really good software to be storing sensitive medical records. With proprietary EHR software, on the other hand, system administrators can't afford that luxury and have no option but to blindly trust that the system is secure."

Downloading the software from GitHub, the team tested its efficiency on a Debian LAMP server, foregoing automated testing tools and instead, manually reviewing the security code and modifying requests with Burp Suite.

Of the 22 found, 17 were considered to be of high severity. None, however, reached the level of critical.

One such flaw was the ability to bypass the patient portal authentication simply by modifying a requested URL on the registration page to access the desired portal areas within the program. Such pages include those for payments, patient profiles, documentation and lab results.

Combining this issue with one of eight SQL injection vulnerabilities found in bits of OpenEMR’s PHP code would enable attackers to view data from a target database, manipulate patient records and perform database functions in an unauthorized manner, compromising the privacy and integrity of the data and, potentially, its accuracy.

Four remote code execution bugs were also found that would allow attackers to create requests or upload any type of file, actions that could provide them with access to code execution and escalated privileges.

Another issue found was a collective group of high-risk, cross-site request forgery vulnerabilities that provided attackers with the potential to upload a web shell, a script uploaded to a web server for remote administration of a machine, enabling them to perform remote code execution if they were successful in deceiving an administrator into clicking a malicious link.

The three other serious findings were an arbitrary file write bug for uploading any file with false requests; an arbitrary file read flaw for viewing files on the site outside of the directory, due to a lack of sanitization; and an arbitrary file deletion issue, also caused by a lack of sanitization.

“The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security,” Brady Miller, OpenEMR Project Administrator and CEO of OpenEMR.org, told HCB News. “Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability high priority, since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched.”

Telfer says the most secure option would be for providers to use traditional health records instead of EHRs and avoid storing any patient information electronically or in a form that can potentially be accessed over the internet. He admits though that such an option is "wishful thinking" for today's world.

"They should instead be storing these records on local machines isolated from any network. Even if they are running an OpenEMR installation purely within a LAN environment, it would still be possible for an attacker to infilftrate the network and utilize the OpenEMR vulnerabiltiies to exfiltrate patient data," he said. "There's no way everyone is going to move away from EHR systems with the current state of technology and the fact that practically everything is internet-connected these days, so instead I'd suggest they implement secure programming practices and perform extensive penetration tests before allowing any of these systems to go live."

Additional issues included three low-risk, unauthenticated information disclosure flaws; a medium-risk, unrestricted file upload bug; and a low-risk group of unauthenticated administrative actions that could be performed with knowledge of the relative URL path.

The upgrade is available on OpenEMR version and was released in mid-to-late July.