Security Flaws Discovered in OpenEMR Healthcare Software

OpenEMR is a popular healthcare software, which manages the statistics of millions of patients worldwide. It is widely considered easy and safe to use. However, there are some weak points and vulnerabilities in this healthcare software that everyone concerned should be aware of. 

That’s what we are going to discuss today in this article. Now that you are here, why don’t you give a read to these two well-written articles about designing an effective network operation center and using B2B vendor portal.

What is OpenEMR?

To those who are not familiar with the name, openEMR is an open source and free healthcare software. It allows EMR patient scheduling, e-prescribing and medical patient management. It also acts as the patient portal and clinical decision support system while integrating electronic billing functionality. 

Many believe that it’s free from any problems and very user friendly, but upon the review of some cybersecurity researchers it was revealed that there were a number of issues with the software. The following are some of the problems that users should be in the know of. 

Administrative Functions and unauthorized Access

One of the main feature of the openEMR is the patient portal. It allows them to converse with the healthcare providers, fill and sign the forms before appointment and also have video consultations with the health professionals. 

Users that aren’t authenticated can easily bypass the main log-in screen. It can be done by going to the portal registration page and rearranging the URL. Hackers can perform administrative actions if they know relative URL paths. This can lead to leak of sensitive patient information.

SQL Injection

SQL injection is a kind of hack, where harmful code is inserted in the database via web-based inputs. It allows the hacker to even change the database content. For openEMR, the experts used a few SQL injections. Some of them did not require authentication to the patient portal but they did require authentication for the exploitation to happen. 

Information Disclosure

Information is disclosed when the software cannot protect the information from unauthorized persons. The leaked information could later help the hackers to succeed in their attack. The cybersecurity experts found certain instances of information leak. 

Uploading Vulnerability

The cybersecurity experts also revealed that the check on image files uploaded in the software was non-existent. They summarized that it could allow hackers to upload a PHP web-shell to perform web commands. 

Forgery Issues

When an authenticated user that uses cookies is forced to take actions by clicking on fake links that’s when a request for cross site forgery is made. Experts found that openEMR is very much at risk for cross-site forgery requests. 


Three weeks later, when the cybersecurity team was done with the research the professional team of the software manufacturer took action to fix the weaknesses in their app. The news of the weaknesses was released to the public. It proved that when timely action is taken to assess the software for weakness the issue could be solved before it is exploited by those with malicious intent. 

Final Words

This proves to us that no online system, even the ones that are most common are safe. The research undertaken by the cybersecurity experts revealed to the healthcare system that there were flaws with a well-known healthcare software. And that they should always be wary and suspicious up to a certain extent of the healthcare apps they use. 

Related Articles

Leave a Reply

Back to top button