Philips TASY EMR Vulnerabilities May Expose Patient Data

November 05, 2021 - Philips disclosed two security vulnerabilities in its TASY EMR HTML5 system in a recent advisory that may allow for patient data exposure. If exploited, unauthorized users could potentially exfiltrate sensitive patient data from the TASY database. The vulnerabilities apply to the TASY EMR HTML5 3.06.1803 and prior versions.

The Cybersecurity & Infrastructure Security Agency (CISA) also released an advisory on the EMR system.

The first vulnerability, which applies to version 3.06.1789 and prior, may allow a successful SQL injection attack that could result in patient data exposure and extraction.

“Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands,” MITRE’s Common Weakness Enumeration (CWE) explained in CISA’s advisory.

“SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.”

The second vulnerability, which applies to version 3.06.1803 and prior, allows potential attackers to gain unauthorized access to TASY EMR systems or accounts and ultimately lead to a denial-of-service (DoS) attack.

A DoS attack occurs when threat actors overload a network server with traffic to the point that legitimate users are unable to access information systems. Standard DoS attacks and distributed denial-of-service (DDoS) attacks are becoming a significant threat to the healthcare sector.

DDoS attacks can effectively halt business operations and deny access to vital IT resources, which can have a negative impact on patient care and safety.

“It is important to note that to exploit these vulnerabilities, an attacker must necessarily have valid access to the system (session authenticated with valid TASY username and password),” Philips noted in its advisory.

“Philips recommends following best practices regarding the management of credentials, which must be personal and non-transferable, with periodic password changes. Philips also recommends avoiding posting access to the TASY system on the Internet in an open way.”

Philips and CISA recommended that users take defensive measures to mitigate risk. Users should minimize network exposure for all control system devices, locate control system networks and remote device behind firewalls and isolate them from the network and use VPNs and secure access methods when remote access is required.

“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem,” Philips concluded. 

“Philips’ analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips’ analysis also indicates there is no expectation of patient hazard due to this issue.”