Aisle, an AI security firm, discovered 38 critical security vulnerabilities in an AI-driven test of AI Testing’s healthcare platform.
OpenEMR is a healthcare software provider used by more than 100,000 medical providers globally. It supports clinical documentation, billing, scheduling, and patient access through a single platform.
Aisle conducted the test with OpenEMR on their latest version of the healthcare platform.
The report found the vulnerabilities affected multiple systems within the platform, including patient data access, APIs, and administrative controls.
The vulnerabilities identified include:
- Bypassed Authentication
Some system functions were accessed without valid login credentials, allowing unauthorized users to interact with protected features. - Insecure Direct Object References (IDOR)
Patient records could be accessed or changed by modifying record ID numbers in system requests, without proper authorization checks. - Data Access and Manipulation
Aisle could access patient records without authorization. Further, patient information could be altered without verifying user permissions. - Administrative Access
In certain cases, users gained administrative-level privileges, enabling full control over system configuration and data. - Exposed API Endpoints
Some application programming interface (API) endpoints were accessible without authentication, allowing direct interaction with backend systems. - Sharing vulnerabilities
Security gaps in the system’s built-in data-sharing tools, used to exchange patient records with other systems, enabled unauthorized access to patient information. - Operational Module Exposure
Billing, reporting, and vaccination records could be accessed or changed without proper authorization.
Aisle disclosed the vulnerabilities to their OpenEMR counterparts during testing, enabling “on-the-fly” fixes.
OpenEMR integrated Aisle’s AI analysis tool into its code review process. The tool scans new code for vulnerabilities, allowing fixes to happen before the product is finalized.
