SAP is a software company headquartered in Germany that provides a mobile EHR platform that stores clinical data as well as lab results and images. An analysis from Palo Alto, Calif.-based enterprise application security company ERPScan found that other applications on a mobile device were able to access the EMR Unwired database, possibly through a malware. Attackers were also able to tamper with a configuration file and change medical records stored on the server, according to ComputerWorld.
The attackers could possibly have altered or uploaded false information, compromising the safety of the real patients whose records are in the database, according to the report.
The company reportedly fixed the errors and adjusted a server-side buffer error that could cause a denial-of-service attack. The vulnerability is not accessible remotely, so an attacker would need to have access to an SAP Mobile Device Management client. However, the client would be available from inside the company and from third parties, according to an ERPScan analyst.
