Editor’s note: In the article, we dwell on the weak points of popular healthcare software for you to be aware of the potential vulnerabilities. And if you want to make sure your healthcare application is well protected from security threats, explore our security testing offer.
OpenEMR is the most popular open-source solution to manage electronic medical records. Statistics indicate 100 million patients have data in the system worldwide.
One aspect that makes this software popular is that people tend to trust it as being safe and free from problems. However, cybersecurity researchers conducted a review of the source code that uncovered numerous vulnerabilities, and later published it in a paper.
The team made their testing environment on a Debian LAMP server and downloaded the latest OpenEMR source code. Then they manually reviewed it without using source code scanners or other automated tools.
Here are some of the most troubling weaknesses the researchers found.
Unauthorized access to administrative functions
The patient portal is a primary component of the OpenEMR system. It enables patients to communicate with their providers, fill out and sign forms before their appointments and even have video consultations with health professionals.
Unauthenticated users could bypass the main login screen that permitted patients to access records or let administrators handle requests. Infiltrators could do so by navigating to the portal registration page, then modifying a URL. Knowing a relative URL's path let hackers perform administrative actions.
Patient portal vulnerabilities may lead to the leakage of such sensitive information as lab results, details about allergies and medications and unauthorized access to payment details.
An SQL injection is one of the most common kinds of hacks. It requires inserting malicious code into SQL databases through web-based inputs. This kind of attack allows people to view and manipulate database content. In the case of OpenEMR, the researchers carried out about eight SQL injections.
Some of the SQL injections the researchers used did not require authentication to the patient portal first. However, all of them needed authentication to OpenEMR for the exploitation to happen.
The cybersecurity specialists provided details about the affected code snippets. They recommended using parameterized queries for those parts of the code, which is a widely accepted way to prevent SQL injection attacks. A parameterized query involves using placeholders for parameters and supplying the necessary values when executing an SQL query.
Unauthorized information disclosure
Unauthorized information disclosure happens when an application does not adequately protect sensitive information from parties that should not have access to it. As such, it could give hackers details to assist them in later stages of the attack.
Research revealed several instances of unauthorized information disclosure within OpenEMR. One showed unauthenticated users’ details, including the database name and the current version of OpenEMR an organization used. Another one displayed version information about the installed edition of OpenEMR.
During their research, the cybersecurity professionals found a problem perpetuated by non-existent checks on image files uploaded by administrators. They concluded the issue would allow authenticated users to gain privileges by uploading a PHP web shell to carry out system commands.
Recommendations for fixing the problem included blacklisting non-image extensions or employing other checks to verify an uploaded file is an image.
Cross-site request forgery issues
The researchers found OpenEMR was vulnerable to “more than several” cross-site forgery request issues, and that the problems affected nearly all the administrative actions possible on OpenEMR.
Less than three weeks after the team disclosed their findings to the software manufacturer, the company pushed an update that fixed the vulnerabilities. Approximately two weeks after that responsive action, the news of the uncovered problems were released to the public.
The research showed that periodic vulnerability assessment and penetration testing conducted by professionals could help to reveal vulnerabilities in similar platforms before they get exploited. Now that the issues in Open EMR have come to light, cybersecurity professionals working at healthcare organizations can check to ensure they don’t resurface.
This is a wake-up call
No online system, even a widely used one, is free from security issues. The research undertaken by security specialists revealed the flaws in OpenEMR, which should remind organizations in the medical sector they can’t afford to overlook security practices.