HC3 Sector Alert on Older Versions of OpenEMR | Healthcare Innovation

On Jan. 31, the Health Sector Cybersecurity Coordination Center (HC3) published a sector alert regarding multiple vulnerabilities in OpenEMR electronic health records system. According to the alert, three vulnerabilities were found in an older version of OpenEMR.

The alert states that “The software development solution company, Sonar, released a report identifying three vulnerabilities in an older version of OpenEMR, a popular electronic health records system. OpenEMR is described as being ‘used by more than 100,000 medical providers serving more than 200 million patients’. The three vulnerabilities are Unauthenticated File Read, Authenticated Local File Inclusion, and Authenticated Reflected XSS. These vulnerabilities all represent opportunities for cybercriminals to launch ransomware attacks and data breaches—both of which are persistent threats to the health sector, among other types of attacks.”

The vulnerabilities are fixed in newer versions of OpenEMR and the alert says that upgrading to the most recent version will fully patch them.

“Technical details of the vulnerabilities can be found in the Sonar alert,” the release adds. “This includes the attack lifecycle for all three vulnerabilities. It also details how an attacker-controlled MySQL configuration can lead to exploitation of the arbitrary file read vulnerability and how combining two code vulnerabilities, Cross-Site Scripting, and Local File Inclusion can lead to a takeover of any OpenEMR instance. These vulnerabilities were initially reported by Sonar to OpenEMR on October 24, 2022 and released in version 7.0.0, which included the three patches, on November 30, 2022.”

The alert concludes by saying that OpenEMR’s patches can be accessed here. The alert strongly recommends updating older versions of the software immediately to prevent these vulnerabilities from being exploited.