Security News > 2021 > November > Critical Flaws in Philips TASY EMR Could Expose Patient Data
The U.S. Cybersecurity and Infrastructure Security Agency is warning of critical vulnerabilities affecting Philips Tasy electronic medical records system that could be exploited by remote threat actors to extract sensitive personal data from patient databases.
"Successful exploitation of these vulnerabilities could result in patients' confidential data being exposed or extracted from Tasy's database, give unauthorized access, or create a denial-of-service condition," CISA said in a medical bulletin issued on November 4.
Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an integrated healthcare informatics solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.
The SQL injection flaws - CVE-2021-39375 and CVE-2021-39376 - affect Tasy EMR HTML5 3.06.1803 and prior, and could essentially allow an attacker to modify SQL database commands, resulting in unauthorized access, exposure of sensitive information, and even the execution of arbitrary system commands.
"Philips' analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips' analysis also indicates there is no expectation of patient hazard due to this issue."
All healthcare providers using a vulnerable version of the EMR system are recommended to update to version 3.06.1804 or later as soon as possible to prevent potential real-world exploitation.
News URL
https://thehackernews.com/2021/11/critical-flaws-in-philips-tasy-emr.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-08-24 | CVE-2021-39376 | SQL Injection vulnerability in Philips Tasy Electronic Medical Record 3.06 Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter. | 6.5 |
2021-08-24 | CVE-2021-39375 | SQL Injection vulnerability in Philips Tasy Electronic Medical Record 3.06 Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. | 6.5 |