Articles

Ethical
_
hacking:
_
report
_
vulnerabilities
_
before
_
they
_
are
_
detected
_
by
_
cybercriminals

Cybersecurity Consulting  ·  Identity and cybersecurity

The team at Sofistic, Cuatroochenta’s cybersecurity unit, recently discovered five vulnerabilities in an open-source software that is utilized by healthcare centers across more than 100 countries. The goal is to identify and report possible security breaches before they are exploited by cybercriminals.

The goal of ethical hacking is to search. Search for vulnerabilities and weaknesses in computer systems, just as a cybercriminal would do, to identify and fix security flaws and strengthen them against possible attacks. In line with this approach, the team at Sofistic, Cuatroochenta's cybersecurity unit, recently discovered and reported five security breaches in a popular open-source medical practice management system. Specifically, they found vulnerabilities in the OpenEMR system, which is used by more than 100,000 healthcare providers worldwide and serves over 200 million patients, according to its administrators.

This finding is part of a broader investigation being conducted by the company to assess the security maturity of open-source medical management systems. As part of this investigation, approximately twenty open-source healthcare management software solutions have been analyzed, it is important to note that the healthcare sector has been a frequent target of cybercriminals in recent years due to the large amount of sensitive information that hospitals, healthcare centers, and pharmaceutical companies handle. These attacks have had a significant impact on healthcare activity. For instance, the Hospital Clínic in Barcelona, the drug distributor Alliance Healthcare, and the Colombian pharmacy chain Audifarma have all experienced cyber-attacks in the past.

Healthcare organizations worldwide experienced an average of 1,463 cyberattacks per week in 2022, an increase of 74% from 2021, according to Check Point Research.

It involves applying a security audit process from the attacker's perspective to uncover flaws.

Applying specific skills and knowledge, Sofistic's team of ethical hackers broke into the OpenEMR system, which is certified by the U.S. National Coordinating Office for Healthcare (ONC). During the pentest detected five security breaches were detected, four of which were of high severity. Afterwards, the administrators were contacted and given time to repair the identified security vulnerabilities and update the system. Following standard procedures, once the necessary patches had been applied, the resolution was verified and each bug was assigned a Common Vulnerabilities and Exposures (CVE), code to enable global identification. Finally, the vulnerabilities were published in the public repository of computer security information the National Vunerability Database (NVD) of the United States, and in the vulnerability registry of the Spanish National Institute of Cybersecurity (INCIBE).

«Reporting these security breaches, we can help strengthen systems that handle sensitive information in the healthcare sector, which is one of the most threatened by cybercriminals due to the nature of the data they manage.»

Manuel Ginés, CIO of Sofistic and Head of Research.

Do you need to audit the security of your organization?

Contact our team