Electronic Healthcare Records , Governance & Risk Management , Healthcare
OpenEMR Flaws Could Allow Attackers to Steal Data, More
Patch Available for Open-Source Electronic Health Records SoftwareThe nonprofit behind an open-source electronic health record says it released a patch fixing a trio of security flaws that could allow attackers to steal patient data and potentially compromise an organization's entire IT infrastructure.
See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape
Security researchers at Sonar, a company that touts itself as a platform for "clean code," say they detected a trio of vulnerabilities that attackers could chain together to execute code on servers running versions of OpenEMR 7.0.0.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center also issued its own OpenEMR alert Wednesday based on Sonar's findings.*
The vulnerability is contained in the setup.php
script. A report by Sonar says that the OpenEMR installer does not automatically delete itself after a successful installation. OpenEMR Project Administrator Brady Miller tells Information Security Media Group that "all patches have been removing this script for last several years; and all downstream dockers and cloud offerings remove this script."
"That being said, the OpenEMR community still felt this was a critical vulnerability, so it was promptly addressed and fixed," Miller adds.
OpenEMR dates back to about 2002, and developers have maintained it through the years. It is certified by the U.S. government as an ONC Complete Ambulatory EHR. Usage numbers are difficult to come by, and its install base in the United States is likely confined to small clinics.
KLAS Research, which tracks the health IT market, tells Information Security Media Group it doesn't have data on installation rates of open-source electronic medical records, since "they are not big enough of a software for us to gather data on or rate." Privately held Epic Systems Corp. has the most EHR installs among U.S. acute care hospitals, holding approximately one-third of total market share, KLAS stated in a 2022 report.
Miller says OpenEMR is downloaded more than 3,000 times per month, and he estimates that more than 100,000 medical providers serving more than 200 million patients across the globe use OpenEMR. The open-source software is available in 34 languages.
Sonar says the vulnerabilities it identified are:
- Unauthenticated arbitrary file read;
- Authenticated local file inclusion;
- Authenticated reflected XSS.
OpenEMR released version 7.0.0 in November, which addressed the vulnerabilities.
The unauthenticated arbitrary file read flaw alone allows unauthenticated attackers to read files including certificates, passwords, tokens and backups from an OpenEMR instance via a rogue MySQL server, Sonar says.
Earlier Issues
The Sonar findings are not the first set of concerning security vulnerabilities identified in OpenEMR by researchers. In 2018, London-based security research firm Project Insecurity identified nearly two dozen weaknesses in OpenEMR.
OpenEMR issued patches to address the vulnerabilities before Project Insecurity publicly released its report (see: Numerous OpenEMR Security Flaws Found; Most Patched).
The vulnerabilities involving OpenEMR also spotlight similar security challenges involving the use of other open-source software in healthcare, says Keith Fricke, principal consultant at privacy and security consultancy tw-Security.
"Use of one or more varieties of Linux - most of which are open source - is fairly common in healthcare organizations as an on-premises or remotely hosted platform for applications," Fricke says, adding that open-source software maintenance is generally handled by a community of people that fix bugs and provide feature updates.
"Such updates may not be released with the same urgency or expediency as commercial software," he says. "News of a vulnerability may catch the attention of criminals, who may start targeting these vulnerable systems."
*Update Feb. 1, 2023 13:20 UTC: Adds note about new HHS HC3 alert.