On November 5, 2021, Philips advised their customers of two security vulnerabilities in their TASY EMR HTML5 system. The vulnerabilities, now known as CVE-2021-39375 and CVE-2021-39376, may cause a patient data breach. Although not currently being exploited in the wild, the vulnerabilities could allow unauthorized users to exfiltrate sensitive patient data from the TASY database.
CVE-2021-39375 is a SQL injection flaw that could allow a successful SQL injection attack, resulting in patient data exposure and extraction. This flaw is a common issue with database drive sites and is easily exploited.
The second vulnerability, CVE-2021-39376, is a flaw which allows unauthorized users to gain access to TASY EMR systems or accounts, leading to a denial-of-service (DoS) attack. A DoS attack causes a network server to be overloaded with bogus traffic to the extent of legitimate users not being able to access information systems. This kind of attack is becoming a lot more common within the healthcare sector and is a serious threat. Overwhelming a network with bogus traffic could lead to life threatening disruptions within the day-to-day operations of a hospital or medical clinic.
Philips stated that it’s unlikely for the vulnerabilities to impact clinical use and there is no expectation of patient hazard. As a precaution, it’s still recommended to patch all systems. Philips Tasy EMR enables centralized management of clinical and administrative processes, this includes billing and inventory, and supply management for medical prescriptions. The system is used by over 950 healthcare institutions, primarily in Latin America.
Versions affected:
Philips recommends the following:
Philips TASY EMR Vulnerabilities May Expose Patient Data (healthitsecurity.com)
Critical Flaws in Philips TASY EMR Could Expose Patient Data (thehackernews.com)
Security Advisories (philips.com)