Researchers at Risk Based Security are warning healthcare providers using OpenEMR to a vulnerability in its configuration that may expose the system to a complete compromise, the firm wrote in a blog post.
OpenEMR is an open-source EHR management application used in thousands of physician offices and small healthcare facilities around the world, and it hosts data on more than 90 million patients. In the U.S., it is estimated there are more than 5,000 installations of OpenEMR in physician offices, serving more than 30 million patients. It is a PHP-based web application that fully integrates with EHRs and practice management, scheduling and electronic billing.
According to RBS researchers, many OpenEMR installations contain the original setup script, called setup.php. This poses a big problem because these installer scripts — which are usually deleted after installation — were not being removed automatically, meaning a third party could instantiate additional sites of the install.
"Having access to a setup script typically means that the functionality, which handles the initial configuration of the application, is within reach. Considering initial configuration usually requires administrative access, this is immediately a concern," the blog post reads.
Official documentation advises users to consider removing or blocking access to the script, instructions RBS deems too vague.
"We believe that this phrasing is far too vague to convince a customer to remove the setup scripts," Sven Krewitt, senior vulnerability researcher at RBS, said. "It also fails to properly warn about the risks of not doing so."
The researchers found the setup script was accessible in 141 out of 188 searchable installs. "While the sample size is small, we can make a decent assumption that a substantial percentage of the over 20,000 [global] installations of OpenEMR are in a similar state," the researchers wrote.
The issue has been reported to OpenEMR developers, and the company released a patch earlier this month, in addition to revising their documentation.
More articles on cybersecurity:
CNBC to host healthcare innovation-focused conference in March
Eric Topol takes on new roles at Scripps' research arm
Mark Segal to leave GE Healthcare, launch digital health policy consultancy