Health records of almost 100 million patients worldwide were put at risk by security issues with a popular patient management system, researchers say. Almost 30 bugs were found in the OpenEMR system, by a cyber-security group called Project Insecurity. OpenEMR is one of the world’s most widely used patient and practice management systems. It said it was “thankful” for Project Insecurity’s work and had now patched many of the bugs it had exposed. Cyber-security experts from Project Insecurity found various problems in its investigation of OpenEMR. Many of the bugs were labelled as “critical” and, if exploited, would have given attackers wide access to medical records.
Some would have allowed attackers with limited credentials access to sensitive data. OpenEMR is used by many surgeries, hospitals and other health organizations to manage information and treatment for patients. It can also be used to manage scheduling and billing as well as practice administration. In the US, it is used to document sensitive medical information for more than 30 million people. Globally, the records of about 100 million people are believed to be held on OpenEMR. Project Insecurity told OpenEMR about its findings in July and gave the organisation until 7 August to fix them.
Brady Miller, OpenEMR project administrator, said it had tackled the bugs in several stages following the disclosure by the cyber-security team. Mr Miller said the “responsible disclosure” had helped it fix the vulnerabilities. “The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication,” he said. Patches for the bugs have been released and shared with the many OpenEMR users. They have also been added to packages offered by partners and cloud companies.