by John R. Fischer
, Senior Reporter | August 15, 2018
A team of researchers may have just saved the data of millions worldwide from potential cyber threats with their discovery of more than 20 vulnerabilities in a software program commonly used to support EHRs.
Calling itself Project Insecurity, the team uncovered the security flaws within OpenEMR version 126.96.36.199, an open-source software, with issues ranging from SQL injection flaws to a bypass technique for portal authentication. In response, OpenEMR has since released an update of their software to patch all bugs found.
"This discovery is just one of many examples of the issues faced in regard to the medical industry in general," Matt Telfer, chief executive officer for Project Insecurity, told HCB News. "Personally, I'd say open-source software is the least of our worries. At least with the likes of OpenEMR, someone educated in the field of security can analyze the source code and make an educated decision as to whether it's really good software to be storing sensitive medical records. With proprietary EHR software, on the other hand, system administrators can't afford that luxury and have no option but to blindly trust that the system is secure."
Downloading the software from GitHub, the team tested its efficiency on a Debian LAMP server, foregoing automated testing tools and instead, manually reviewing the security code and modifying requests with Burp Suite.
Of the 22 found, 17 were considered to be of high severity. None, however, reached the level of critical.
One such flaw was the ability to bypass the patient portal authentication simply by modifying a requested URL on the registration page to access the desired portal areas within the program. Such pages include those for payments, patient profiles, documentation and lab results.
Combining this issue with one of eight SQL injection vulnerabilities found in bits of OpenEMR’s PHP code would enable attackers to view data from a target database, manipulate patient records and perform database functions in an unauthorized manner, compromising the privacy and integrity of the data and, potentially, its accuracy.
Four remote code execution bugs were also found that would allow attackers to create requests or upload any type of file, actions that could provide them with access to code execution and escalated privileges.
Another issue found was a collective group of high-risk, cross-site request forgery vulnerabilities that provided attackers with the potential to upload a web shell, a script uploaded to a web server for remote administration of a machine, enabling them to perform remote code execution if they were successful in deceiving an administrator into clicking a malicious link.