redstapler wrote on Thursday, December 27, 2012:
Any feedback or thoughts on this article? Should we initiate an initiative on OpenEMR hardening?
bradymiller wrote on Thursday, December 27, 2012:
Hi,
Here are the pertinent quotes:
OpenEMR, an open-source electronic medical records management system that is about to be adopted worldwide by the Peace Corps, has scores of security flaws that make it easy prey for hackers.
Among the systems that HHS has certified is OpenEMR, an open-source software developed by a nonprofit charitable group called OEMR. The software can be downloaded for free.
Williams’s group — along with several white-hat hackers — has found hundreds of vulnerabilities in the system.
OEMR’s leaders acknowledged the flaws but said it would take an experienced hacker to exploit them. Chief technology officer Kevin Yeh said his group fixes problems as soon as it learns about them and that other Web-based systems probably have the same weaknesses.
He added that federal certification standards “are not sufficient.”
The important thing to note here is that these known “hacks” all require user authentication (meaning the hacker needs a valid username/password). That being said, OpenEMR does have it’s share of sql-injection and cross-scripting vulnerabilities, which are simply a symptom of the aging codebase(again, you need to be logged into OpenEMR to be able to take advantage of these vulnerabilities). A wiki page discusses this issue along with what we are doing about it here:
http://www.open-emr.org/wiki/index.php/Codebase_Security#Plan
Note that all new code/scripts written are required to follow the solutions detailed in above wiki page to prevent any sql-injection and cross-scripting attacks.
Also note that there is an ongoing project to use this solution detailed in above wiki page to harden the older codebase, with the converted modules listed here:
http://www.open-emr.org/wiki/index.php/Codebase_Security#Implementation
(This has mostly been carried out by myself and there is still a lot more to do. Hopefully the article will spur other developers to help out with this)
My overall take on this is that the article is merely pointing out the obvious. The culture of health care is different than the corporate world. Individuals driven towards healthcare (physicians, nurses, and perhaps even IT folks) place much more focus on taking care of the patient than the other “details”. This explains (at least to me) the sharing of passwords and the utilization of dropbox by some other organizations. For example, if I’m at a workstation using an EMR and another physician forgets their password in a busy clinic and does not have 30 minutes to wait on the phone to reset their password, then what am I going to do in that situation? Would I do the same thing if I worked in a financial institution?
As an aside, here’s a wiki page discussing how to secure OpenEMR:
http://www.open-emr.org/wiki/index.php/Securing_OpenEMR
(anybody, please feel free to contribute to it)
-brady
OpenEMR
redstapler wrote on Thursday, December 27, 2012:
Thanks Brady for summarizing - I am willing to dedicate some project management and BA resources in 2013 if a majority think this is an initiative worth while. I am even willing to commit funds to developing.
donelewis wrote on Thursday, December 27, 2012:
Give me some tasks, I will help if I can.
bradymiller wrote on Thursday, December 27, 2012:
Hi redstapler and donelewis,
Feel free to pick any script/module that hasn’t been converted yet and convert it to the new security model(and of course contribute it back to the OpenEMR codebase). I’m happy to provide guidance or where to start (ie. an easy script/module). This project is being tracked on the following sourceforge forum:
http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3530656
Again, check out the following wiki page for the security method and examples:
http://www.open-emr.org/wiki/index.php/Codebase_Security#Plan
thanks,
-brady
OpenEMR
bradymiller wrote on Thursday, December 27, 2012:
Also,
If plan to contribute funds to a professional developer for this, suggest using A Certified OpenEMR Cotnributo to ensure it’s done correctly and gets contributed back to the project:
http://www.open-emr.org/wiki/index.php/Category:Certified_OpenEMR_Contributor
-brady
OpenEMR