Vulnerabilities Found in Open-Source Hospital Management System

Summary

An independent researcher discovered a dozen vulnerabilities in OpenClinic GA, many of which are considered critical or high severity. OpenClinic GA is a widely used open source hospital management system used in hospitals to manage administrative, financial, clinical, lab, x-ray, pharmacy, and other functions. The flaws, affecting versions 5.09.02 and 5.89.05b, can be exploited to bypass access controls and account protections, obtain sensitive information, and upload and execute arbitrary files commands. CISA has also released an advisory addressing this and other issues confronting the healthcare sector and the need for all healthcare organizations to be proactive in assessing and addressing vulnerabilities that potentially jeopardize data and patients.

Recommendations

The NJCCIC recommends users of OpenClinic GA upgrade to the latest version of the platform. Additionally, organizations are encouraged to adopt a defense-in-depth cybersecurity strategy, apply the principle of least privilege, ensure control systems and devices are not public-facing to minimize network exposure, and use Virtual Private Networks (VPNs) to access networks when remote access is required. Further information can be found in the Security Week article.