Over 20 Serious Vulnerabilities Found in OpenEMR Platform

OpenEMR is a free, open-source electronic health record (EHR) management system that is used by a large number of healthcare providers around the world, especially small practices. It’s the leading free-to-use electronic health record system in use.

Approximately 5,000 physician offices and small healthcare facilities in the U. S. are known to be utilizing OpenEMR and over 15,000 healthcare establishments globally use the platform. Approximately 100 million patients have their medical data kept in the system.

Recently, Project Insecurity discovered several vulnerabilities in the source code that can be exploited to get access to highly sensitive patient data. The Project Insecurity team chose to investigate EMR and EHR systems because of the large number of healthcare data breaches that had been reported in recent years. OpenEMR was the natural place to begin the investigation because it was the most commonly utilized EMR system and, being open-source, the source code could be checked without experiencing legal problems.

Following the identification of about 20 critical vulnerabilities, the vendor was called on July 7, 2018 and was granted one month prior to public disclosure, giving developers the time they needed to fix the problems. Patches have now been issued to correct most of the flaws.

One serious vulnerability would allow a hacker to circumvent the authentication required on the Patient Portal Login page. Exploitation of the flaw would require no technical skill and would allow patient data to be viewed and modified, potentially allowing access to be gained to the entire patient database.

Below is a summary of the vulnerabilities identified by Project Insecurity researchers:

  • 9 flaws that allowed SQL injection
  • 4 flaws that would enable remote code execution
  • Multiple cross-site request forgery vulnerabilities were identified
  • 3 unauthenticated data disclosure vulnerabilities discovered
  • An unrestricted file upload flaw was identified
  • Unauthenticated administrative actions and arbitrary file actions

The vulnerabilities were discovered though manual evaluation of the code. No source code evaluation tools were utilized. If the vulnerabilities had been identified by a hacker, huge volumes of medical records could have been viewed, modified, and stolen.