A trio of static accounts in EMR and billing software from DocuTrac can lead to serious vulnerabilities in sensitive data bases.

Two popular applications for medical records management contain hidden user accounts with hard-coded credentials that could be abused by hackers, a researcher has found.

Rapid7 today published a report on the newly discovered security vulnerabilities (CVE-2018-5551 and CVE-2018-5552) in DocuTrac's electronic medical record (EMR) software QuicDoc and Office Therapy billing software. DocuTrac software runs at some 5,000 healthcare practices, including county and state mental health facilities, employee assistance programs, behavioral health, and other facilities.

Three user accounts are created when the software is installed, and these accounts have high levels of access to the database, according to Rapid7, who handled the vuln disclosure on behalf of the independent researcher who discovered the flaws. The administrator setting up the software is neither warned of these accounts' existence nor has an option to change the passwords.

In addition, QuickDoc and Office Therapy use a single, hard-coded salt string for encryption. It's not clear precisely how much of the data stored by the system is encrypted, according to Rapid7, but it is clear that whatever is encrypted is less secure than it should be.

DocuTrac has been notified of the vulnerabilities and has not yet released a patch. In the meantime, Rapid 7 recommends limiting physical access to systems that can be used to log into the applications.

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights