How an OpenEMR Weakness Endangered Patient Information

Across the world, more than 90 million patients visit physicians and healthcare organizations that used an open-source software platform called OpenEMR. And any number of them might be vulnerable to data theft, according to a recent analysis by a cybersecurity firm.

Risk Based Security (RBS), a Virginia-based outfit founded in 2011, used its vulnerability intelligence solution, VulnDB, to assess the defenses built into OpenEMR, which, as its name suggests, provides a free, collaboratively developed electronic medical record (EMR) program to providers. RBS identified 188 unique users of the software—the largest number available through public means—and found that 141, or 75%, had a gaping security hole, the company wrote this week.

It turned out that a SQL injection vulnerability existed—and, in some cases, could still exist, despite a security patch—in the program’s setup.php script, RBS noted. Although best practices mandate the removal of these installation scripts, system administrators don’t always do that. In this case, OpenEMR’s support guide merely recommended the deletion, a warning that RBS found too calm and troubling.

“We believe that this phrasing is far too vague to convince a customer to remove the setup scripts,” said Sven Krewitt, senior vulnerability researcher for RBS and research head for this project. “It also fails to properly warn about the risks of not doing so.”

But what risks does this flaw pose? To put it simply, any patient of a healthcare organization using the unsecured EMR system could fall victim to hackers. Their sensitive data could be compromised, according to RBS, or even sold on the black market.

During his investigation, Krewitt found that OpenEMR had been installed at doctors’ offices and “other small healthcare facilities” more than 5000 times, affecting 30 million patients. Across the globe, more than 15,000 institutions comprising more than 45,000 providers and serving roughly 90 million patients had installed the software. “Any security issue in OpenEMR has the potential for widespread impact,” RBS researchers wrote.

Since 2006, 118 vulnerabilities have appeared in the software, according to the RBS inquiry.

Healthcare Analytics News™ could not immediately reach anyone associated with the free software platform.

But the findings prompted a security fix from OpenEMR’s stable of developers, though organizations and patients might remain at risk, RBS said, adding that 54% of the open installations in this test were vulnerable to an attack in which hackers could access all stored patient data. The team also said most of the affected entities were based in the United States, and many used the cloud.

“While we still believe that other installations on private networks are affected, the fact that these cloud installations are impacted means that many organizations’ and patients’ data is quite likely currently exposed,” RBS wrote.

The firm informed 78 of the 141 groups of the vulnerability. Difficulty finding security contacts at the other organizations slowed the process, though RBS said it has reached out to them.

For more information on how, exactly, hackers could have exploited the entryway, check out the RBS post.

^{Image depicts how a hacker might enter a database through OpenEMR. Courtesy of RBS.}