Research team uncovers 20 security flaws in widely used EHR software

by John R. Fischer, Senior Reporter | August 15, 2018

The three other serious findings were an arbitrary file write bug for uploading any file with false requests; an arbitrary file read flaw for viewing files on the site outside of the directory, due to a lack of sanitization; and an arbitrary file deletion issue, also caused by a lack of sanitization.

“The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security,” Brady Miller, OpenEMR Project Administrator and CEO of OpenEMR.org, told HCB News. “Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability high priority, since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched.”

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

Telfer says the most secure option would be for providers to use traditional health records instead of EHRs and avoid storing any patient information electronically or in a form that can potentially be accessed over the internet. He admits though that such an option is "wishful thinking" for today's world.

"They should instead be storing these records on local machines isolated from any network. Even if they are running an OpenEMR installation purely within a LAN environment, it would still be possible for an attacker to infilftrate the network and utilize the OpenEMR vulnerabiltiies to exfiltrate patient data," he said. "There's no way everyone is going to move away from EHR systems with the current state of technology and the fact that practically everything is internet-connected these days, so instead I'd suggest they implement secure programming practices and perform extensive penetration tests before allowing any of these systems to go live."

Additional issues included three low-risk, unauthenticated information disclosure flaws; a medium-risk, unrestricted file upload bug; and a low-risk group of unauthenticated administrative actions that could be performed with knowledge of the relative URL path.

The upgrade is available on OpenEMR version 5.0.1.4. and was released in mid-to-late July.

Back to HCB News



You Must Be Logged In To Post A Comment Sign In If you've already created an account, use your email address and password to sign in using the form below. Login Problems: Click here if you are having login issues. Email address: Password: Forgot your password? Login Problems? View our Legal Notice and Privacy Notice Register Registration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now!