Security News > 2021 > November > Critical Flaws in Philips TASY EMR Could Expose Patient Data

Critical Flaws in Philips TASY EMR Could Expose Patient Data
2021-11-08 19:15

The U.S. Cybersecurity and Infrastructure Security Agency is warning of critical vulnerabilities affecting Philips Tasy electronic medical records system that could be exploited by remote threat actors to extract sensitive patient data from patient databases.

"Successful exploitation of these vulnerabilities could result in patients' confidential data being exposed or extracted from Tasy's database, give unauthorized access, or create a denial-of-service condition," CISA said in a medical bulletin issued on November 4.

Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an integrated healthcare informatics solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.

The SQL injection flaws - CVE-2021-39375 and CVE-2021-39376 - affect Tasy EMR HTML5 3.06.1803 and prior, and could essentially allow an attacker to modify SQL database commands, resulting in unauthorized access, exposure of sensitive information, and even the execution of arbitrary system commands.

"Philips' analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips' analysis also indicates there is no expectation of patient hazard due to this issue."

All healthcare providers using a vulnerable version of the EMR system are recommended to update to version 3.06.1804.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/HCq5CP-R_zU/critical-flaws-in-philips-tasy-emr.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-24 CVE-2021-39376 SQL Injection vulnerability in Philips Tasy Electronic Medical Record 3.06
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
network
low complexity
philips CWE-89
8.8
2021-08-24 CVE-2021-39375 SQL Injection vulnerability in Philips Tasy Electronic Medical Record 3.06
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
network
low complexity
philips CWE-89
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Philips 93 6 43 45 12 106