back to article Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Fresh light has been shed on a batch of security vulnerabilities discovered in the widely used OpenEMR medical records storage system. A team of researchers at Project Insecurity discovered and reported the flaws, which were patched last month by the OpenEMR developers in version 5.0.1.4. With the fixes now having been out for …

  1. Phil Endecott

    Fractal of fail

    People are using PHP for a medical records system?

    WTF?

    1. Pascal Monett Silver badge
      Trollface

      Re: Fractal of fail

      Yeah but, that's what the CEO's nephew learned in high school. He had to have something to do during the summer . . .

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Does it matter what happens to HEALTH info?

    As the Facebook 'Dumb-Fucks' generation are all going to live forever anyway, once Palantir-Peter-Thiel decides to monetize the 'vampire blood therapy'. But the more leaks breaches hacks of health data, the easier it is for Zuck to manufacture consent that its ok to slyly buy patient health data:

    ---

    https://www.theregister.co.uk/2018/04/06/facebook_tried_to_slurp_medical_data/

    http://www.theregister.co.uk/2016/08/01/peter_thiel_wants_young_blood_for_longevity/

  4. John Smith 19 Gold badge

    "discovered by..seven researchers poring over source code without the use of any

    automated testing tools."

    How IBM Federal Systems Division did it with writing the Shuttle software. Before they started recording every line change and every error source (and pattern of every error).

    So there is an O/S medical records system. Could the NHS use it? HMG spent £15Bn+ on their clusterf**k of a medical records system.

    1. phuzz Silver badge
      Joke

      Re: "discovered by..seven researchers poring over source code without the use of any

      Could the NHS use it?

      Only if it benefit any friends-of-MPs who can then give them a cushy 'consultancy' job?

      >>>> Joke icon, because of course I'm only joking about our fine Members of Parliament being on the take...

  5. Mark 85

    After today's other news about FB wanting your banking details, they obviously want to be able to offer medical ads and great loan rates to pay for it. Need a pacemaker? Here's where to buy and a great payment plan. Anything goes for profit...

  6. el-keef
    Facepalm

    Why are we still seeing...

    SQL injection exploits. In 2018.

    1. deive

      Re: Why are we still seeing...

      Too right, this is absolutely shocking

    2. Michael Wojcik Silver badge

      Re: Why are we still seeing...

      Yes, you know this means they're constructing ad hoc queries using string concatenation and interpolation. We need to start assigning liability for antipatterns like that. There is really no excuse.

      1. deive

        Re: Why are we still seeing...

        Would love to know who the guy that thinks SQL injection in the 21st century isn't shocking?

  7. JDX Gold badge

    23 vulns & me

    as title

  8. Flywheel

    ONC certified

    Oh dear Or, I want some of whatever they were smoking when they certified it...

  9. David Lawrence

    Web-based for what reason??

    So all of those vulnerabilities exist because someone decided the whole thing absolutely HAD to be web-based. Why is it web-based? Or more importantly why is it ALL web-based? Is there really a saving in term of development costs? The UI still needs to be designed and built - just using a different technology stack. All you seem to get is vulnerabilities and attacks.

    Time to re-think whether you should expose all your precious data in that way, or whether you can limit the web-based stuff to an absolute minimum, and limit the information held in the DB that serves it. Keep the rest well away from the web I say.

    1. GnuTzu

      Re: Web-based for what reason??

      There are respectable enterprise data analytic products that are web-based. E.G. Splunk. PHP is the bigger worry, as is a lack of interface and web server hardening. The common alternatives that I find myself stuck with on a day-to-day basis include Java and Citrix, the latter being the most unsupportable and horrible to work with.

  10. sitta_europea Silver badge

    Is anybody actually using it?

    1. Phil Endecott

      > Is anybody actually using it?

      Apparently yes; one of the screenshots I noticed in the PDF is from a live system with patient details redacted.

    2. Michael Wojcik Silver badge

      They claimed it's "the most popular" system of its type.

      I'm thinking those organizations using it are now on the line for some nifty HIPPA violations if they don't patch mighty quickly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like