Millions of patient records are feared to have been jeopardised after security flaws were discovered in open-source healthcare software.
Researchers at cyber security outfit Project Insecurity discovered dozens of security bugs in the OpenEMR system, which is described as the “most popular open source electronic health records and medical practice management solution”.
Many of the flaws were classified as being of high severity, leaving patient records and other sensitive information within easy reach of would-be hackers.
One critical flaw meant that an unauthenticated user was able to bypass the patient portal login simply by navigating to the registration page and modifying the URL, Project Insecurity reported in its findings.
OpenEMR is used in medical organisations around the world to manage health records and patient information, as well as handle billing and administration processes.
Brady Miller, OpenEMR project administrator, told Digital Health News it wasn’t clear how many UK organisations may have been affected because the system is open source.
“OpenEMR is an open source software project and does not require registration. There is an optional registration which only collects email addresses, so the number of OpenEMR users in the NHS or UK is not known,” said Miller.
“New patches and security fixes are announced to the registration list in addition to OpenEMR’s online forum and social accounts (such as Twitter, Facebook, etc.) There is an online community at open-emr.org that can provide free support, in addition to a group of vendors that can provide professional support.”
The severity of the flaws drew criticism from security professionals.
Keith Graham, CTO at security software firm Core Security, said: “Strong access control is essential for informed treatment and optimal patient outcomes. In life and death situations cybersecurity shouldn’t be hindering medical professionals from doing their jobs, but it can no longer afford to take a backseat.
“In this case, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring that the right people are accessing the right information at the right time.”
Nick Viney, regional vice president for UK, Ireland and South Africa at McAfee, said: “Medical data is a valuable commodity for cyber criminals, so it is crucial that vulnerabilities like this are patched quickly through cooperation between the security and healthcare industries.”
“Healthcare organisations must first and foremost recognise the value of the data they protect, and therefore its appeal to cyber criminals. It is also crucial that security is built in from the outset with robust processes.”
Security patches have now been issued for the software to address the issues.