HC3 Sector Alert on Older Versions of OpenEMR

Feb. 2, 2023
The Health Sector Cybersecurity Coordination Center published a sector alert on Jan. 31 advising healthcare organizations about vulnerabilities found on older versions of OpenEMR electronic health records system

On Jan. 31, the Health Sector Cybersecurity Coordination Center (HC3) published a sector alert regarding multiple vulnerabilities in OpenEMR electronic health records system. According to the alert, three vulnerabilities were found in an older version of OpenEMR.

The alert states that “The software development solution company, Sonar, released a report identifying three vulnerabilities in an older version of OpenEMR, a popular electronic health records system. OpenEMR is described as being ‘used by more than 100,000 medical providers serving more than 200 million patients’. The three vulnerabilities are Unauthenticated File Read, Authenticated Local File Inclusion, and Authenticated Reflected XSS. These vulnerabilities all represent opportunities for cybercriminals to launch ransomware attacks and data breaches—both of which are persistent threats to the health sector, among other types of attacks.”

The vulnerabilities are fixed in newer versions of OpenEMR and the alert says that upgrading to the most recent version will fully patch them.

“Technical details of the vulnerabilities can be found in the Sonar alert,” the release adds. “This includes the attack lifecycle for all three vulnerabilities. It also details how an attacker-controlled MySQL configuration can lead to exploitation of the arbitrary file read vulnerability and how combining two code vulnerabilities, Cross-Site Scripting, and Local File Inclusion can lead to a takeover of any OpenEMR instance. These vulnerabilities were initially reported by Sonar to OpenEMR on October 24, 2022 and released in version 7.0.0, which included the three patches, on November 30, 2022.”

The alert concludes by saying that OpenEMR’s patches can be accessed here. The alert strongly recommends updating older versions of the software immediately to prevent these vulnerabilities from being exploited.

Sponsored Recommendations

Trailblazing Technologies: Looking at the Top Technologies for the Emerging U.S. Healthcare System

Register for the first session of the Healthcare Innovation Spotlight Series today to learn more about 'Healthcare's New Promise: Generative AI', the latest technology that is...

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...