Project maintainers are still working on a fix

The LibreHealth EHR app exposes sensitive medical data

Five high-risk security vulnerabilities in a popular healthcare application could allow a malicious actor to access highly sensitive medical data.

LibreHealth EHR is free and open source electronic health records software that offers an easy way for medical professionals to manage their patients’ data.

Security researchers from Bishop Fox identified five critical bugs that could allow this data to be exposed.

The vulnerabilities could allow an unauthenticated attacker to compromise the application’s underlying server and access sensitive healthcare records, the researchers said.

Read more of the latest healthcare breaches and security news

Researcher Chris Davis, who authored the blog post, told The Daily Swig: “LibreHealth v2.0.0 is affected by a number of common web vulnerabilities such as cross-site scripting, SQL injection, [and] CSRF, as well as some less common issues including local file inclusion.

“These issues independently are high risk in nature and can be exploited to compromise the application data as well as the underlying server. Due to the nature of the application, this data is highly sensitive health records.”

Patch incoming

The vulnerabilities have not yet been patched. However, Davis said there is no evidence that they are being exploited in the wild.

LibreHealth maintainers are currently working on a fix for the issues. Due to coronavirus-related delays, the vendor was given an extension to the standard 90-day coordinated disclosure timeline.

Davis said: “The disclosure process was fairly standard for the industry; we contacted the vendor as soon as possible with our report.

“They were pleasant to work with and took the issues seriously, which is always good to see. The vendor is currently working toward an official patch. They have issued some pulls in GitHub for these issues, but there is yet to be a full merge into a patched version.

“We had extended our normal 90-day policy to grant extra time, but agreed with the vendor on publication after that extension.”

READ MORE Indian government hack exposes 80,000 coronavirus patients’ data