In a recent advisory, the multinational conglomerate Philips disclosed two security flaws in its TASY EMR HTML5 system that could compromise patient data. By abusing the vulnerabilities, unauthorized users may be able to access and steal private patient records from the TASY database.
The Cybersecurity & Infrastructure Security Agency (CISA) also released an advisory warning of the critical issues affecting the TASY EMR system.
Successful exploitation of these vulnerabilities could result in patients’ confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.
What Is Philips Tasy EMR?
Philips Tasy EMR is a unified healthcare informatics system that enables centralized management of clinical, organizational, and administrative processes. It is used by over 950 healthcare facilities, mostly in Latin America.
What Could Happen?
The issues impact the Philips Healthcare Tasy EMR product Tasy EMR HTML5 3.06.1803 and prior versions. The SQL injection vulnerabilities affecting it are CVE-2021-39375 and CVE-2021-39376 and could enable a threat actor to change SQL database commands, leading to:
unauthorized access, exposure of sensitive information, execution of arbitrary system commands.
CVE-2021-39375 and CVE-2021-39376 issues have both been ranked 8.8 out of 10 in severity.
CVE-2021-39375: Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06