Critical vulnerabilities in Philips TASY EMR can expose patient data by bad actors remotely. According to CISA, “Successful exploitation of these vulnerabilities could result in patients’ confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.”
Philips Tasy EMR is designed as an integrated healthcare informatics solution, used by over 950 healthcare institutions primarily in Latin America. The system enables centralized management of clinical, organizational, and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.
The CVE-2021-39375 and CVE-2021-39376 – SQL injection flaws, ranked 8.8 out of 10 in severity, affect Tasy EMR HTML5 3.06.1803 and prior. This could lead to bad actors being able to modify SQL database commands. Leading to unauthorized access, exposure of sensitive information, and even the execution of arbitrary system commands.
How these Vulnerabilities Affect Tasy Philips TASY EMR
- CVE-2021-39375: The flaw allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
- CVE-2021-39376: The flaw allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
Though the threat actors are able to take advantage of these vulnerabilities when they are already in possession of the credentials that grant access to the affected system.
Philips in an advisory said, “At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips’ analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips’ analysis also indicates there is no expectation of patient hazard due to this issue.”
Healthcare providers using EMR systems vulnerable versions are recommended to update to version 3.06.1804. or later as soon as possible to prevent potential real-world exploitation.
U.K. Man Involved in Twitter hacking charged in NY With Cryptocurrency Theft
Facebook Plans To Shut Down Facial Recognition System and Delete Billions of Records
Hackers Busy Exploiting GitLab Unauthenticated RCE Flaw in the Wild