back to article Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Fresh light has been shed on a batch of security vulnerabilities discovered in the widely used OpenEMR medical records storage system. A team of researchers at Project Insecurity discovered and reported the flaws, which were patched last month by the OpenEMR developers in version 5.0.1.4. With the fixes now having been out for …

Silver badge

Fractal of fail

People are using PHP for a medical records system?

WTF?

13
1
Silver badge
Trollface

Re: Fractal of fail

Yeah but, that's what the CEO's nephew learned in high school. He had to have something to do during the summer . . .

7
2

This post has been deleted by its author

Anonymous Coward

Does it matter what happens to HEALTH info?

As the Facebook 'Dumb-Fucks' generation are all going to live forever anyway, once Palantir-Peter-Thiel decides to monetize the 'vampire blood therapy'. But the more leaks breaches hacks of health data, the easier it is for Zuck to manufacture consent that its ok to slyly buy patient health data:

---

https://www.theregister.co.uk/2018/04/06/facebook_tried_to_slurp_medical_data/

http://www.theregister.co.uk/2016/08/01/peter_thiel_wants_young_blood_for_longevity/

2
3
Gold badge

"discovered by..seven researchers poring over source code without the use of any

automated testing tools."

How IBM Federal Systems Division did it with writing the Shuttle software. Before they started recording every line change and every error source (and pattern of every error).

So there is an O/S medical records system. Could the NHS use it? HMG spent £15Bn+ on their clusterf**k of a medical records system.

4
1
Silver badge
Joke

Re: "discovered by..seven researchers poring over source code without the use of any

Could the NHS use it?

Only if it benefit any friends-of-MPs who can then give them a cushy 'consultancy' job?

>>>> Joke icon, because of course I'm only joking about our fine Members of Parliament being on the take...

5
2
Silver badge

After today's other news about FB wanting your banking details, they obviously want to be able to offer medical ads and great loan rates to pay for it. Need a pacemaker? Here's where to buy and a great payment plan. Anything goes for profit...

3
1
Facepalm

Why are we still seeing...

SQL injection exploits. In 2018.

11
1

Re: Why are we still seeing...

Too right, this is absolutely shocking

6
1
Silver badge

Re: Why are we still seeing...

Yes, you know this means they're constructing ad hoc queries using string concatenation and interpolation. We need to start assigning liability for antipatterns like that. There is really no excuse.

4
1

Re: Why are we still seeing...

Would love to know who the guy that thinks SQL injection in the 21st century isn't shocking?

1
0
JDX
Gold badge

23 vulns & me

as title

2
1
Bronze badge

ONC certified

Oh dear Or, I want some of whatever they were smoking when they certified it...

1
1

Web-based for what reason??

So all of those vulnerabilities exist because someone decided the whole thing absolutely HAD to be web-based. Why is it web-based? Or more importantly why is it ALL web-based? Is there really a saving in term of development costs? The UI still needs to be designed and built - just using a different technology stack. All you seem to get is vulnerabilities and attacks.

Time to re-think whether you should expose all your precious data in that way, or whether you can limit the web-based stuff to an absolute minimum, and limit the information held in the DB that serves it. Keep the rest well away from the web I say.

4
1
Bronze badge

Re: Web-based for what reason??

There are respectable enterprise data analytic products that are web-based. E.G. Splunk. PHP is the bigger worry, as is a lack of interface and web server hardening. The common alternatives that I find myself stuck with on a day-to-day basis include Java and Citrix, the latter being the most unsupportable and horrible to work with.

0
1
Bronze badge

Is anybody actually using it?

0
1
Silver badge

> Is anybody actually using it?

Apparently yes; one of the screenshots I noticed in the PDF is from a live system with patient details redacted.

1
1
Silver badge

They claimed it's "the most popular" system of its type.

I'm thinking those organizations using it are now on the line for some nifty HIPPA violations if they don't patch mighty quickly.

1
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018