Numerous OpenEMR Security Flaws Found; Most PatchedOpen Source Electronic Medical Records System Used Worldwide
Nearly two dozen security weaknesses in OpenEMR - open source electronic medical record and practice management software - left patient data vulnerable to cyberattacks before most were patched, according to the London-based security research firm Project Insecurity.
"I believe, by definition, open source software is more prone to coding risks and inconsistencies than 'closed source' code'" software, says former healthcare CIO David Finn, executive vice president of security consultancy CynergisTek. "That said, plenty of bad code comes out of proprietary software developers, too."
In its Aug. 7 report, Project Insecurity says researchers determined that attackers could bypass patient portal authentication, wage SQL injection attacks, complete remote code execution, gain information disclosure without authentication, upload files without restrictions, wage cross-site request forgery attacks and complete unauthenticated administrative actions.
Millions of Records
The report claims that OpenEMR "is the most popular open-source electronic medical record and medical practice management solution."
Project Insecurity researcher Daley Bee, one of the authors of the new report, tells Information Security Media Group that the OpenEMR software is estimated to manage 90 million to 110 million patient records worldwide. Of those, about 10 million records are in the U.S., Project Insecurity estimates.
In the U.S., the platform is typically used by smaller healthcare entities, some security experts say. OpenEMR claims on its website, however, that the U.S. Peace Corps is among its users.
Addressing the Flaws
A seven-member team of Project Insecurity researchers discovered the vulnerabilities in the OpenEMR software "by manually reviewing the source code and modifying requests with Burp Suite Community Edition, [with] no automated scanners or source code analysis tools [being] used," the report notes.
Bee tells ISMG that the most troubling vulnerability identified was the patient portal authentication bypass, "due to it opening an unauthenticated attacker with no prior access to straight-up abuse multiple remote command execution vulnerabilities that are nested deeper within the application that would normally require authentication to reach."
OpenEMR addressed all the issues Project Insecurity identified before the research firm released its report, Bee stresses.
"We contacted them originally and within two days we had agreed on a 30 days disclosure date as time for them to fix," he says. "I must say, OpenEMR did an incredible job with our report and rushed rapidly to push fixes. All vulnerabilities were fixed in less than a week."
Project Insecurity does not know how long the vulnerabilities existed in the software, Bee says.
The OpenEMR community "is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR's security," Brady Miller, OpenEMR project administrator, tells ISMG.
"Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability report a high priority since one of the reported vulnerabilities did not require authentication," Miller says. "A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched."
So, what's been fixed?
"The key vulnerability in this report is the patient portal authentication bypass, which essentially allows a bad actor to bypass authentication and gain access to OpenEMR - if the patient portal is turned on," Miller says. "All the other vulnerabilities require authentication."
The patient portal authentication bypass, multiple instances of SQL injection, unrestricted file upload, remote code execution and arbitrary file actions vulnerabilities "were all fixed," he says.
"The unauthenticated information disclosure and unauthenticated administrative actions involve files that are removed after installation, so there was no fix needed," he adds.
However, "the CSRF [cross-site request forgery] was not fixed, and OpenEMR is working on a mechanism, which will require substantial code changes, to prevent this in the next OpenEMR version."
To address the problems, healthcare entities need to install the most recent OpenEMR patch. "New patches and security fixes are announced to the registration list in addition to OpenEMR's online forum and social accounts - such as Twitter, Facebook, etc. There is an OpenEMR online community that can provide free support in addition to a group of vendors that can provide professional support," Miller says.
Open Source Bugs
So, is open source software more likely to contain vulnerabilities than commercial software?
"These vulnerabilities are much more commonly found in open source software than commercial software as a service, since you have the ability to simply read and manually analyze the source code [of open source software]," Bee says. "For commercial software, you don't have the source code access, thus limiting you to blackbox testing, simulating an attack from an outsider."
Tom Walsh, founder and managing partner at tw-Security, adds: "The source code to commercial software is tightly protected," and therefore more difficult to assess by outsiders. "Open source code is being scrutinized by thousands of users. Therefore, the odds are greater for finding vulnerabilities in the code."
Open source software is available for the public or subscribers to use and modify, Finn notes. "The intent was that people would enhance and improve the product more quickly on a continuous basis. Unfortunately, with all those people with different ideas, it often means that the software can take plenty of curious bends and forks with processes and testing that are not well controlled."
Of the OpenEMR vulnerabilities identified by researchers, several are particularly troubling, some experts say.
"It is probably important to note that while none of the flaws were "critical," 17 of the 22 noted [in the report] were ranked as 'high severity,'" Finn says.
"Complex systems, like EMRs, tend to fail in complex ways."
—David Finn, CynergisTek
"I would concur with Project Insecurity that the portal authorization bypass is the most troubling issue. If a user bypassed the portal authorization, they could gain access to patient demographics, all EMR records including prescription and billing information."
Walsh says the two most worrisome vulnerabilities are the SQL injection flaws and unrestricted file upload.
"Multiple SQL injection: By now, any software developer or programmer knows about this vulnerability and how it has been exploited in the past by hackers. Unrestricted file upload: Without some restrictions, the OpenEMR software relies solely on the user's endpoint protection, such as anti-virus software," Walsh says.
"If a clinic or physician practice doesn't want to spend the money on a commercial EMR, they may not be spending money on commercial anti-virus software. While there are some decent free versions of anti-virus software - you get what you pay for."
Healthcare entities using open source software should conduct their own vulnerability scans and code reviews, Walsh suggests. "Invest in good security at the server and workstation level," he advises.
"Complex systems, like EMRs, tend to fail in complex ways," Finn notes. "It is not just the security of the application software; it will depend on many variables - the configuration settings on the app, the operating system, the patches in place, network security and operational controls, like access management."