Researchers from Project Insecurity unraveled the disturbing fact the millions of patient records were lying rather bare to attack from potential hackers. 18 grave vulnerabilities were discovered before OpenEMR tackled the issues.

Consequently, Project Insecurity held its report until OpenEMR could address the problem areas.

The researchers furnished a list of all portal directory pages that would reveal to the hacker, including patient profiles.

The researchers also exposed numerous cases of SQL injections, which can be used to observe data from a specific database or to execute other tasks like performing database functions. There also were several security concerns that could have invited remote code execution and others that could have unveiled data.

OpenEMR’s management system also was unlocked to access by hackers through unobstructed upload errors, unvalidated information disclosures and unauthenticated administrative actions.

The vulnerabilities needed no automated scanning or source code analysis software. The researchers discovered them by mere manual reviewing of the source code and altering requests. If sought by a hacker, they could access patient records, compromised databases and sensitive system data, and elevate privileges, or upload files.

A test lab was positioned to examine the platform, as OpenEMR was cautioned of system flaws by Risk Based Security in November 2017. The report revealed a configuration vulnerability that could render a system to total compromise.

Patches have been made available to cloud customers and users. OpenEMR presented an update to tackle these issues on Aug 7.

Platform vulnerabilities and botched patches are offering hackers a quiet simpler way to encroach into private data. Patch management and supervision are critical to check these errors.