Healthcare is one of the most critical and sensitive areas of human activity. Over the years, it has undergone changes and innovations to improve the quality of care and provide better services to patients. Modern technology has brought to this field the convenience of customer management, patient monitoring, and the ability to diagnose diseases more accurately. In addition to conventional software applications such as web servers, email servers, web applications, and blogs, specialized software is becoming increasingly relevant. In addition to large cloud-based solutions such as Salesforce Health Cloud or Epic Systems, MedTech and MedData organizations use standalone solutions like ERPNext, OpenDental, OpenMRS, Bahmni, Librehealth or develop their applications from scratch.
And just as with all the other applications, vulnerabilities can occur. However, the presence of vulnerabilities in medical software can lead to more severe consequences than in any other IT solution:
- The healthcare industry collects vast amounts of sensitive patient information, including patient histories, personal data, insurance information, etc. Leaking such information can lead to severe consequences, both for users and companies, because medtech is subjected to strict PII regulation ( GDPR in Europe, HIPAA in the US, etc).
- Leakage of customer payment data, which may lead to fraud and risk of money theft.
- Leakage of personal data of employees of the healthcare organization.
- Possible blackmail of the organization or - even worse- of patients
Also, do not forget about the physical safety of patients: knowing a vulnerability in the product and penetrating the internal network of the medical institution, an attacker can not only access all the information (reading, modifying, deleting records in the database) but also disable the equipment, which would put patients' lives at risk.
Let's take a look at one such vulnerability, CVE-2020-23829:
This is a vulnerability in the LibreHealth v2.0.0 (clinically-focused electronic health record system) that allows code to be executed on a company's server.
In a nutshell, an attacker can upload a file with malicious code under the guise of an avatar.
This happens because the script that handles avatar uploads (interface/new/new_comprehensive_save.php) does not validate the file correctly.
Validation consists only of checking the mime-type of the image (line 69), which is easily bypassed by setting the header of the uploaded file to '\x89\x50\x4e\x47\x0d\x0a\x1a' (the header of the png image in hex). Line 59, where the extension of the uploaded file is taken as the file extension, also contributes to vulnerability. Thus, if you upload a malicious script evil.php instead of avatar.png, starting with the PNG file header, the script will retain the .php extension and can be executed on the server.
This way, by uploading the malicious script to the server, the attacker gains full access to the site, the ability to manipulate data in the database, attack users and employees, and attack internal systems.
As seen from the example above, medical software, like in any other applications, is susceptible to vulnerabilities. However, unlike others, security issues in medical software can come at a high cost to the health and even the lives of patients. Therefore, the priority of information security is much higher in this context. Regular penetration testing, source code, infrastructure analysis, and protective measures are necessary.
If you're interested in pentest or cybersecurity audit, please don't hesitate to contact us.
Author: Maxim Roy