HC3 Sector Alert on Older Versions of OpenEMR

Feb. 2, 2023
The Health Sector Cybersecurity Coordination Center published a sector alert on Jan. 31 advising healthcare organizations about vulnerabilities found on older versions of OpenEMR electronic health records system

On Jan. 31, the Health Sector Cybersecurity Coordination Center (HC3) published a sector alert regarding multiple vulnerabilities in OpenEMR electronic health records system. According to the alert, three vulnerabilities were found in an older version of OpenEMR.

The alert states that “The software development solution company, Sonar, released a report identifying three vulnerabilities in an older version of OpenEMR, a popular electronic health records system. OpenEMR is described as being ‘used by more than 100,000 medical providers serving more than 200 million patients’. The three vulnerabilities are Unauthenticated File Read, Authenticated Local File Inclusion, and Authenticated Reflected XSS. These vulnerabilities all represent opportunities for cybercriminals to launch ransomware attacks and data breaches—both of which are persistent threats to the health sector, among other types of attacks.”

The vulnerabilities are fixed in newer versions of OpenEMR and the alert says that upgrading to the most recent version will fully patch them.

“Technical details of the vulnerabilities can be found in the Sonar alert,” the release adds. “This includes the attack lifecycle for all three vulnerabilities. It also details how an attacker-controlled MySQL configuration can lead to exploitation of the arbitrary file read vulnerability and how combining two code vulnerabilities, Cross-Site Scripting, and Local File Inclusion can lead to a takeover of any OpenEMR instance. These vulnerabilities were initially reported by Sonar to OpenEMR on October 24, 2022 and released in version 7.0.0, which included the three patches, on November 30, 2022.”

The alert concludes by saying that OpenEMR’s patches can be accessed here. The alert strongly recommends updating older versions of the software immediately to prevent these vulnerabilities from being exploited.

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...