OpenEMR flaws could expose healthcare records of around 100 million patients

  • Researchers have rated 18 of these available vulnerabilities as ‘severe’.
  • Vulnerabilities such as portal authentication bypass, SQL injection, remote code execution,unauthorised information disclosure and more, have been found in OpenEMR.

A barrage of vulnerabilities have been discovered in the popular open-source software, OpenEMR, which could put the personal health records of around 100 million at risk of a potential breach or data exposure.

The open source software, which is used by medical organizations to store electronic medical records, contains several flaws such as portal authentication bypass, SQL injection, remote code execution, unauthorized information disclosure, unrestricted file upload vulnerabilities. Moreover, Cross-Site Request Forgeries, including a CSRF to remote code execute a proof-of-concept, were also discovered.

According to security researchers at Project Insecurity, who have rated 18 of these discovered vulnerabilities as ‘severe’, the flaws can be exploited by an attacker by gaining access to OpenEMR servers.

Meanwhile, OpenEMR officials plan to fix these issues at the earliest.

"The OpenEMR community is thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security," OpenEMR said, SC Magazine reported. "Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability high priority since one of the reported vulnerabilities did not require authentication.

"A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched."

While there is no evidence of a breach or any records stolen or misused, the researchers say this exposure of data is a major security concern. Medical facilities that use OpenEMR have been advised to update their systems as soon as possible to avoid any data leaks.