OpenEMR’s security flaws threaten millions of patient records; McAfee successfully alters vital signs reporting into monitoring systems

August 15, 2018 | by

The OpenEMR system, which is an open-source patient record system used in UK hospitals and others worldwide, has dozens of security flaws in its software, according to Project Insecurity, a London-based “tight-knit computer research organization which focuses primarily on educating the masses on the topics of information security” according to their corporate description on LinkedIn. According to their report, Project Insecurity found vulnerabilities including: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”  OpenEMR has stated that they have now supplied patches to fix the vulnerabilities listed in the report. However, these multiple flaws put potentially millions of patient records at risk for some time.

OpenEMR’s decentralized model has some drawbacks when it comes to security. According to OpenEMR, they do not know how many organizations are affected as the open-source software has voluntary registration. Patches and security fixes are announced to the registration list, the OpenEMR’s online forum and social accounts, the open-emr.org community, and OpenEMR vendors. While no data has been publicly exposed, the Project Insecurity report revealed this system’s risk to the healthcare organizations which use it. Also DigitalHealth and Project Insecurity on Twitter.

McAfee has confirmed another vulnerability–that vital signs reporting into a central monitoring station can be altered in real time. They tested a circa 2004 bedside monitor/central monitoring system reportedly still in use. The system monitored heartbeat, oxygen level, and blood pressure, used both wired and wireless networking over TCP/IP, and appeared to store patient information. The central monitoring station ran Windows XP Embedded, which presented one set of flaws, but far more accessible to a breach was the communication from the devices to the central monitoring system. In short, “the attacker simply has to send replacement data to the central station while appearing as the patient monitor.” The article proves vital signs can be altered by the time they reach the central monitoring station to create a bad diagnosis, unnecessary testing, and unneeded medication. The McAfee article lays out How to Mess With Vital Signs, Believably.

A trip back in time to telecare, circa 2009–and maybe the future

August 29, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/08/Cape-May-Point-fade-to-dark.jpg” thumb_width=”150″ /]As the season winds down, our thoughts turn backwards. Your Editor remembers Jersey Shore vacations, travel, great airshows, collector car shows, old friends and good times. She also remembers When Telecare Was New (2006-9) with Living Independently Group (now Care Innovations), helping to pioneer the QuietCare system in senior housing. At that time, universities like Virginia and Florida were on the cutting edge in developing smart homes and pioneering systems for monitoring health in older adults and the disabled. Those smart homes and research initiatives vanished years ago, replaced by incubators, accelerators, the size of your funding round, Big Data, wearables, IoT….

Sigh. Your Editor is in Error. The University of Missouri is still at it 12 years later with its sensor-based behavioral/activity/proactive care system in the Tiger Place assisted living community near Columbia. And it seems much the same: bed and residential motion sensors, fall detection tracked by a variety of sensors, gait analysis and analysis of activity changes (changes in behavior=changes in health, which still doesn’t excite those in senior care the way it should) . You have to admire the persistence of vision the founders/researchers have had (Marilyn Rantz, professor emeritus with the School of Nursing, and Marjorie Skubic, a professor with MU’s College of Engineering). Their research model has now spread to 13 communities and hospitals in Missouri, and they are commercializing it with a former student, George Chronis, with Foresite Healthcare to convert it into a reliable, robust assisted living/hospital monitoring/care transition system with a simpler, affordable ‘health at home’ version. Besides the nostalgia and supporting fellow ‘true believers’, what they have designed is still needed AND not achieved by RFID (a big fizzle) or ancient PERS. We can all wish them luck in a competitive and much changed market. MU researchers taking sensor system from lab to marketplace (Columbia Daily Tribune)

Previously in TTA: Quantifying early detection capabilities of telecare (July 2012) and Editor Steve’s first look in October 2009 at ‘magic carpet falls’.