Vulnerabilities Impacting Philips TASY EMR Could Lead to Patient Data Exposure
Users Advised to Update ASAP.
In a recent advisory, the multinational conglomerate Philips disclosed two security flaws in its TASY EMR HTML5 system that could compromise patient data. By abusing the vulnerabilities, unauthorized users may be able to access and steal private patient records from the TASY database.
The Cybersecurity & Infrastructure Security Agency (CISA) also released an advisory warning of the critical issues affecting the TASY EMR system.
Successful exploitation of these vulnerabilities could result in patients’ confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.
What Is Philips Tasy EMR?
Philips Tasy EMR is a unified healthcare informatics system that enables centralized management of clinical, organizational, and administrative processes. It is used by over 950 healthcare facilities, mostly in Latin America.
What Could Happen?
The issues impact the Philips Healthcare Tasy EMR product Tasy EMR HTML5 3.06.1803 and prior versions. The SQL injection vulnerabilities affecting it are CVE-2021-39375 and CVE-2021-39376 and could enable a threat actor to change SQL database commands, leading to:
- unauthorized access,
- exposure of sensitive information,
- execution of arbitrary system commands.
CVE-2021-39375 and CVE-2021-39376 issues have both been ranked 8.8 out of 10 in severity.
- CVE-2021-39375: Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
- CVE-2021-39376: Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
SQL injection has become a common issue with database-driven websites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.
The flaw affecting version 3.06.1803 and prior, enables hackers to get unauthorized access to TASY EMR systems or accounts, resulting in a denial-of-service (DoS) attack. It should be mentioned that in order to exploit the issues, an attacker must first acquire the credentials that give them access to the system.
At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.
Philips’ analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips’ analysis also indicates there is no expectation of patient hazard due to this issue.
To mitigate the problem, Philips advised all healthcare providers who use a vulnerable version of the EMR system to immediately update Tasy EMR HTML5 to version 3.06.1804 or later with the latest available service pack where both CVEs are remediated.
How Can Heimdal™ Help?
Protect yourself from DDoS attacks with Heimdal™ Threat Prevention, the solution that allows you to easily leverage a Host-Based Intrusion Prevention System (HIPS), augmented by a highly intelligent threat detection technology powered by AI.
The innovative AI will detect and block the infected domains, allowing you to enjoy peace of mind when thinking about your business ecosystem.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;