Open-source snafu leaves patient data exposed

  • 13 August 2018
Open-source snafu leaves patient data exposed

Millions of patient records are feared to have been jeopardised after security flaws were discovered in open-source healthcare software.

Researchers at cyber security outfit Project Insecurity discovered dozens of security bugs in the OpenEMR system, which is described as the “most popular open source electronic health records and medical practice management solution”.

Many of the flaws were classified as being of high severity, leaving patient records and other sensitive information within easy reach of would-be hackers.

One critical flaw meant that an unauthenticated user was able to bypass the patient portal login simply by navigating to the registration page and modifying the URL, Project Insecurity reported in its findings.

OpenEMR is used in medical organisations around the world to manage health records and patient information, as well as handle billing and administration processes.

Brady Miller, OpenEMR project administrator, told Digital Health News it wasn’t clear how many UK organisations may have been affected because the system is open source.

“OpenEMR is an open source software project and does not require registration. There is an optional registration which only collects email addresses, so the number of OpenEMR users in the NHS or UK is not known,” said Miller.

“New patches and security fixes are announced to the registration list in addition to OpenEMR’s online forum and social accounts (such as Twitter, Facebook, etc.) There is an online community at open-emr.org that can provide free support, in addition to a group of vendors that can provide professional support.”

The severity of the flaws drew criticism from security professionals.

Keith Graham, CTO at security software firm Core Security, said: “Strong access control is essential for informed treatment and optimal patient outcomes. In life and death situations cybersecurity shouldn’t be hindering medical professionals from doing their jobs, but it can no longer afford to take a backseat.

“In this case, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring that the right people are accessing the right information at the right time.”

Nick Viney, regional vice president for UK, Ireland and South Africa at McAfee, said: “Medical data is a valuable commodity for cyber criminals, so it is crucial that vulnerabilities like this are patched quickly through cooperation between the security and healthcare industries.”

“Healthcare organisations must first and foremost recognise the value of the data they protect, and therefore its appeal to cyber criminals. It is also crucial that security is built in from the outset with robust processes.”

Security patches have now been issued for the software to address the issues.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Alder Hey Children's NHS Foundation Trust has announced that the cyber attack it suffered last week has impacted two more hospitals.
Major cyber security incident declared at Merseyside hospital

Major cyber security incident declared at Merseyside hospital

A “major incident” has been declared at Wirral University Teaching Hospital NHS Foundation Trust “for cyber security reasons”.
Barts Health rolls out Cynerio cyber security platform

Barts Health rolls out Cynerio cyber security platform

Barts Health NHS Trust has rolled out Cynerio’s healthcare-focused cyber security platform across all of its sites.

8 Comments

  • The very fact that it is open source at least allows it to be examined, tested and vulnerabilities tested but then most importantly – shared and repaired.

    If you read the actual report from Project Insecurity they make it very clear on what action was taken:
    1.3 – Disclosure Timeline
    July 7th, 2018 – Reached out to vendor
    July 9th, 2018 – Made first contact, agreed to a one-month public disclosure release date
    July 20th, 2018 – Vendor pushes an update fixing the vulnerabilities
    August 7th – Public Release Date

  • @CliniTech – I don’t understand your comment. All software has bugs and vulnerabilities, closed systems may have vulnerabilities that others know about but not the supplier e.g. Microsoft Windows and NSA EternalBlue which lead to WannaCry.

    Open source is indeed vulnerable to inspection, but is also strengthened by inspection. These vulnerabilities were found by security researchers. If you read the timeline the vendor was made aware and published an update before this research was publicly released.

    If only the NSA had told Microsoft what it knew about EternalBlue and other exploits before they were stolen (?leaked) then they might have been patched before 300,000 machines were bricked.

    • Hi Paul, I agree but my concern has always been around giving the core code for manipulating, potentially creating additional vulnerabilities by accident.

      I totally think that all organisations should freely develop content, but the core framework of the system which would have gone through vigorous testing multiple times should remain consistent.

      • I also think a key point raised is no one knows how many records were accessed… so who else discovered this and abused it before the researchers got there. Hopefully, no one did.

  • I’m interested in removing the N from SNAFU. Does open source = non-attributable?

  • Hands up how many principle suppliers have had this problem?

  • yes it’s open source but the fault has been found and fixed.

    I could quote several closed source systems from numerous suppliers which have default user names and passwords but that’s all hidden isn’t it.

  • It was just a matter of time really. Of course leaving source code in the public domain leaves the door wide open for this type of issue.

    Suppliers these days have a host of tools to allow for organisations to develop their own content in house while retaining the core security.

    Security should be at the heart not an after thought.

Comments are closed.