Security News > 2021 > November > Critical Flaws in Philips TASY EMR Could Expose Patient Data

The U.S. Cybersecurity and Infrastructure Security Agency is warning of critical vulnerabilities affecting Philips Tasy electronic medical records system that could be exploited by remote threat actors to extract sensitive patient data from patient databases.

"Successful exploitation of these vulnerabilities could result in patients' confidential data being exposed or extracted from Tasy's database, give unauthorized access, or create a denial-of-service condition," CISA said in a medical bulletin issued on November 4.

Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an integrated healthcare informatics solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.

The SQL injection flaws - CVE-2021-39375 and CVE-2021-39376 - affect Tasy EMR HTML5 3.06.1803 and prior, and could essentially allow an attacker to modify SQL database commands, resulting in unauthorized access, exposure of sensitive information, and even the execution of arbitrary system commands.

"Philips' analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips' analysis also indicates there is no expectation of patient hazard due to this issue."

All healthcare providers using a vulnerable version of the EMR system are recommended to update to version 3.06.1804.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/HCq5CP-R_zU/critical-flaws-in-philips-tasy-emr.html