The personal health records of around 100 million people could be at risk from a number of flaws found in a popular open source software for managing medical records.
According to a report published by Project Insecurity, OpenEMR, open source software used by medical organisations to store electronic medical records, contains several flaws including a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.
The researchers rated the severity of 18 of the vulnerabilities as "high" and could have been exploited by an attacked with low-level access to servers running the software.
The researchers found the bugs by setting up an OpenEMR testing lab on a Debian LAMP server with the latest source code downloaded from Github. The flaws were found by manually reviewing the source code and modifying requests with Burp Suite Community Edition. Researchers added that "no automated scanners or source code analysis tools were used."
So far, there has been no evidence of any data breach or records stolen, but researchers said that such exposure was a concern.
Researchers alerted the developers of OpenEMR earlier this month with the vendor pushing out an update to fix the vulnerabilities on 20 July.
OpenEMR said in a statement: "The OpenEMR community is thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security. Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability high priority since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched."
Keith Graham, CTO at SecureAuth + Core Security, told SC Media UK that healthcare is now the most vulnerable industry to data breaches, with 328 breaches reported in 2017 alone (accounting for 60 percent of all breaches last year). And the total estimated cost of these breaches is "skyrocketing".
"Organisations, such as OpenEMR system who handle sensitive data, are a prime target for attackers globally and cannot afford to have any gaps in their cyber-security," he said.
"In this case, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring that the right people are accessing the right information at the right time."
High-Tech Bridge's CEO Ilia Kolochenko, told SC Media UK that the remediated vulnerabilities definitely bring OpenERM to a better overall security level and probably even cover some 0days exploited in the wild by cyber-criminals.
"Now, however, the main risk for the patients and their data will be medical institutions who may unreasonably delay patching or even won’t patch at all. Attackers will certainly start exploiting the vulnerabilities found very soon, as health records can be traded at a very attractive price on the black market," he said.