Multiple vulnerabilities in a popular healthcare software provider’s products may have put at risk the data of over 90 million patients.
OpenEMR develops open source electronic health record (EHR) and practice management tools, which are used to serve an estimated 30 million patients in the US and over three-times that number globally.
However, according to a report released by researchers at Project Insecurity this week, its products were riddled with over 20 serious issues.
These included nine separate SQL injection vulnerabilities, four remote code execution flaws and several arbitrary file read, write and delete bugs. Others included a portal authentication bypass, unauthenticated information disclosure, and cross-site request forgery.
The group reached out to the vendor on July 7 and gave it a month to fix the bugs before going public.
The firm has now patched “most” of the vulnerabilities disclosed, according to the BBC.
"The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication,” a statement noted.
Healthcare was the industry most affected by breaches (24%) last year, and also the only sector in which insider threats (56%) outweighed those from external attackers (43%), according to Verizon.
Separate research from Thales eSecurity claimed that 70% of global healthcare organizations have been breached.
“Organizations such as OpenEMR who handle sensitive data are a prime target for attackers globally and cannot afford to have any gaps in their cybersecurity,” argued Keith Graham, CTO at SecureAuth Core Security.
“Keeping data available, confidential and safe isn’t just a business issue — it allows healthcare personnel to provide the best patient care possible. This discovery should act as a warning to other healthcare organizations to examine their own cybersecurity posture, including extensive pen testing, and improve their approach to authentication.”