The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of critical vulnerabilities affecting Philips Tasy electronic medical records (EMR) system that could be exploited by remote threat actors to extract sensitive personal data from patient databases.
"Successful exploitation of these vulnerabilities could result in patients' confidential data being exposed or extracted from Tasy's database, give unauthorized access, or create a denial-of-service condition," CISA said in a medical bulletin issued on November 4.
Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an integrated healthcare informatics solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.
The SQL injection flaws — CVE-2021-39375 and CVE-2021-39376 — affect Tasy EMR HTML5 3.06.1803 and prior, and could essentially allow an attacker to modify SQL database commands, resulting in unauthorized access, exposure of sensitive information, and even the execution of arbitrary system commands. Both security issues have been ranked 8.8 out of 10 in severity:
- CVE-2021-39375(CVSS score: 8.8): The affected product allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
- CVE-2021-39376 (CVSS score: 8.8): The affected product allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
However, it's worth noting that taking advantage of these vulnerabilities necessitates that the threat actor is already in possession of the credentials that grant access to the affected system.
"At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem," the Dutch company noted in an advisory. "Philips' analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips' analysis also indicates there is no expectation of patient hazard due to this issue."
All healthcare providers using a vulnerable version of the EMR system are recommended to update to version 3.06.1804 or later as soon as possible to prevent potential real-world exploitation.