Health records of nearly 100 million patients worldwide were put at risk by security issues affecting a popular patient management system, researchers have revealed.
Almost 30 bugs were found by cyber security group, Project Insecurity, in the OpenEMR system, one of the world’s most-widely-used patient and practice management systems.
Healthcare has seen the largest increase in cyber attacks of any industry over the last year, with the number of cyber threats targeting this sector every second doubling
Many were labelled as ‘critical’ and, if exploited, would have given attackers wide access to medical records.
OpenEMR is used by healthcare organisations to manage information and treatment for patients.
It can also be used to manage scheduling and billing as well as for practice administration.
Globally, the records of about 100 million people are believed to be held on OpenEMR.
Project Insecurity told OpenEMR about its findings in July and gave the organisation until 7 August to fix them.
Brady Miller, OpenEMR project administrator, said it had tackled the bugs in several stages.
He added: "The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication," he said.
Patches have now been released and shared with OpenEMR users, he added.
It is crucial that security is built in from the outset with robust processes. This should incorporate the ability to detect threats as soon as they arise and, once targeted, correct systems quickly to minimise disruption to patients and the workforce
Commenting on the wider implications of the findings, Nick Viney, regional vice president for the UK, Ireland and South Africa at McAfee, said: “Medical data is a valuable commodity for cyber criminals, so it is crucial that vulnerabilities like this are patched quickly through co-operation between the security and healthcare industries.
“According to McAfee research, healthcare has seen the largest increase in cyber attacks of any industry over the last year, with the number of cyber threats targeting this sector every second doubling.
The healthcare industry has even emerged as a viable and attractive target for state-sponsored cyber crime groups such as Hidden Cobra, which is particularly worrying given the complex and elusive tactics employed by these gangs.”
And he added: “The power of AI and human-machine teaming has an important role to play in tracking and cutting out these threats.
This discovery should act as a warning to other healthcare organisations to examine their own cyber security posture and improve their approach to authentication; one that provides the maximum protection available by bringing context to the authentication process
“Healthcare organisations must first and foremost recognise the value of the data they protect, and therefore its appeal to cyber criminals.
“It is also crucial that security is built in from the outset with robust processes. This should incorporate the ability to detect threats as soon as they arise and, once targeted, correct systems quickly to minimise disruption to patients and the workforce.”
Keith Graham, chief technology officer at SecureAuth + Core Security, said: “Keeping data available, confidential, and safe isn’t just a business issue – it allows healthcare personnel to provide the best patient care possible.
“In life-and-death situations, cyber security shouldn’t be hindering medical professionals from doing their jobs. But it can no longer afford to take a back seat.
“In the case of OpenEMR, one of the vulnerabilities did not require any authentication, and when you’re dealing with this number of patient records, that is simply unacceptable, as a crucial element to quick and effective security is ensuring the right people are accessing the right information at the right time.
“This discovery should act as a warning to other healthcare organisations to examine their own cyber security posture and improve their approach to authentication; one that provides the maximum protection available by bringing context to the authentication process that enables a rapid response to evolving threats, as well as taking additional factors such as geographic location analysis, device recognition, and IP address-based threat services into account.”
