Share this article on:
A vulnerability has been identified in the Philips Tasy EMR information system. If exploited, an attacker could send unexpected information to the system, execute arbitrary code, alter information flow, and gain access to patient information.
The flaw was identified by security researcher Rafael Honorato who reported the vulnerability to Philips, which reported the flaw to the National Cybersecurity and Communications Integration Center. An advisory about the vulnerability was issued by ICS-CERT on April 30, 2019.
The vulnerability – CVE-2019-6562 – is present in Tasy EMR versions 3.02.174 and earlier, and mostly affects healthcare providers in Brazil and Mexico. The vulnerability has not been exploited in wild and no public exploits have been identified.
The cross-site scripting vulnerability is caused by improper neutralization of user-controllable input during web page generation. The vulnerability requires a low level of skill to exploit by an individual on the customer site or connecting via a VPN. Despite the potential for information exposure, the vulnerability has been assigned a CVSS v3 base score of 4.1 out of 10.
According to the Philips advisory, “Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue.”
Philips has advised all users of Tasy EMR to update to the latest three versions of the software as soon as possible and to ensure Service Packs are applied promptly. Philips will be patching hosted solutions automatically and users who have installed Tasy EMR on-premise will receive alerts when new software versions are released.
Additionally, Philips recommends following the instructions in the product configuration manual and ensuring that Tasy EMR is only accessible over the internet via a VPN.