Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Critical OpenEMR Vulnerabilities Give Hackers Remote Access to Health Records

Several vulnerabilities found by researchers in the OpenEMR software can be exploited by remote hackers to obtain medical records and compromise healthcare infrastructure.

Several vulnerabilities found by researchers in the OpenEMR software can be exploited by remote hackers to obtain medical records and compromise healthcare infrastructure.

OpenEMR is an open source management software designed for healthcare organizations. The free application is highly popular and it provides a wide range of features for managing health records and medical practices.

Researchers at Swiss-based code quality and security solutions provider SonarSource discovered earlier this year that OpenEMR is affected by four types of vulnerabilities that impact servers using the Patient Portal component.

The list of vulnerabilities includes command injection, persistent cross-site scripting (XSS), insecure API permissions, and SQL injection.

The Patient Portal enables healthcare organizations to allow their patients to perform various tasks online, such as communicating with doctors, filling out new patient registration forms, making appointments, making payments, and requesting prescription refills.

However, SonarSource researchers determined that if the Patient Portal is enabled and accessible from the internet, an attacker could take complete control of the OpenEMR server by chaining the vulnerabilities they’ve found.

According to SonarSource, the Patient Portal has its own API interface, which can be used to control all portal actions. Using this API requires authentication, but the researchers found a way to bypass it, allowing them to access and make changes to patient data, or to change information associated with backend users, such as administrators.

An attacker who is able to change administrator account data can exploit the persistent XSS vulnerability to inject malicious code that would get executed when the targeted admin logs in to their account.

Advertisement. Scroll to continue reading.

The JavaScript code triggered through the XSS vulnerability can then exploit the command injection vulnerability found by the researchers. The ability to execute arbitrary OS commands enables the attacker to take complete control of the OpenEMR server.

Alternatively, if the attacker targets a user with lower privileges rather than an administrator, they can exploit the SQL injection vulnerability to gain access to the patient database and steal potentially valuable data.

Exploitation of the XSS and command injection flaws requires admin privileges, but the SQL injection bug can be exploited with regular user privileges.

SonarSource discovered the vulnerabilities in OpenEMR and they were patched with the release of version in August. Details of the flaws were only made public now to give users enough time to install the update.

Related: Serious OpenEMR Flaws Expose Medical Records

Related: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring

Related: DHS Warns of Critical Flaws in Medtronic Medical Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights