HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

High Severity Vulnerabilities Identified in Philips Tasy EMR

Two high severity vulnerabilities have been identified in the Philips Tasy EMR that could allow sensitive patient data to be extracted from the database. The vulnerabilities can be exploited remotely, there is a low attack complexity, and exploits for the vulnerabilities are in the public domain.

Philips says the vulnerabilities affect Tasy EMR HTML5 3.06.1803 and prior versions, with the affected products used primarily in South and Central America. The vulnerabilities were identified and publicly disclosed by a security researcher who did not follow responsible disclosure protocols and failed to coordinate with Philips.

The two flaws are both SQL injection vulnerabilities that have been assigned a CVSS v3 severity score of 8.8 out of 10. Both are due to improper neutralization of special elements in SQL commands.

The first flaw, tracked as CVE-2021-39375, allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. The second, tracked as CVE-2021-39376, allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

By exploiting the flaws, a remote attacker could expose patient data, extract information from the database, or trigger a denial-of-service condition.

Philips says it reported the vulnerabilities to CISA and has fixed both vulnerabilities in Tasy EMR HTML5 to Version 3.06.1804. All healthcare providers using a vulnerable version of the EMR system should update to version 3.06.1804. or later as soon as possible to prevent exploitation. Prior to upgrading to the latest version, CISA recommends performing an impact analysis and risk assessment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.