Share this article on:
OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular.
Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database.
Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information.
The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy to test the code without running into legal problems. The findings of the investigation into OpenEMR v188.8.131.52 are detailed in Project Insecurity’s vulnerability report (PDF).
After identifying around 20 serious vulnerabilities, the vendor was contacted on July 7, 2018 and was given a month before public disclosure, allowing time for developers to correct the flaws.
One of the most serious vulnerabilities discovered allowed an attacker to bypass authentication on the Patient Portal Login. The authentication was simple, requiring next to no skill to pull off. An individual only needed to navigate to the registration page and modify the requested URL to access the desired page. By exploiting this flaw, it would be possible to view and alter patient records and potentially compromise all records in the database.
Project Insecurity discovered nine flaws that allowed SQL injection which could be used to view data in a targeted database and perform other database functions, four flaws could be exploited that would allow remote code execution to escalate privileges on the server, several cross-site request forgery vulnerabilities were discovered, three unauthenticated information disclosure vulnerabilities, an unrestricted file upload flaw, and unauthenticated administrative actions and arbitrary file actions were possible.
The vulnerabilities were identified through a manual review of the code and by modifying requests. No source code analysis tools were used. If the flaws had been found by a hacker, huge numbers of medical records could have been accessed, altered, and stolen.
OpenEMR has now issued patches to correct all the flaws identified by the Project Insecurity team.