Over 150 Total Lots Up For Auction at One Location - CA 05/31

Research team uncovers 20 security flaws in widely used EHR software

by John R. Fischer, Senior Reporter | August 15, 2018
Cyber Security Health IT

The three other serious findings were an arbitrary file write bug for uploading any file with false requests; an arbitrary file read flaw for viewing files on the site outside of the directory, due to a lack of sanitization; and an arbitrary file deletion issue, also caused by a lack of sanitization.

“The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security,” Brady Miller, OpenEMR Project Administrator and CEO of OpenEMR.org, told HCB News. “Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability high priority, since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched.”

Telfer says the most secure option would be for providers to use traditional health records instead of EHRs and avoid storing any patient information electronically or in a form that can potentially be accessed over the internet. He admits though that such an option is "wishful thinking" for today's world.

"They should instead be storing these records on local machines isolated from any network. Even if they are running an OpenEMR installation purely within a LAN environment, it would still be possible for an attacker to infilftrate the network and utilize the OpenEMR vulnerabiltiies to exfiltrate patient data," he said. "There's no way everyone is going to move away from EHR systems with the current state of technology and the fact that practically everything is internet-connected these days, so instead I'd suggest they implement secure programming practices and perform extensive penetration tests before allowing any of these systems to go live."

Additional issues included three low-risk, unauthenticated information disclosure flaws; a medium-risk, unrestricted file upload bug; and a low-risk group of unauthenticated administrative actions that could be performed with knowledge of the relative URL path.

The upgrade is available on OpenEMR version 5.0.1.4. and was released in mid-to-late July.

Back to HCB News

You Must Be Logged In To Post A Comment