Philips Tasy EMR, used by hundreds of hospitals as a medical records solution and medical management system, has been found to be vulnerable to two critical SQL injection vulnerabilities.
This vulnerability is tracked as CVE-2021-39375 and CVE-2021-39376, both with a severity score of 8.8 in CVSS v3.
https://nvd.nist.gov/vuln/ detail/CVE-2021-39375
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 introduces SQL injection via WAdvancedFilter/ SQL injection via the getDimensionItemsByCode FilterValue parameter is possible.
https://nvd.nist.gov/vuln/ detail/CVE-2021-39376
In Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06, the CorCad_F2/executaConsultaEspecifico IE SQL injection via _CORPO_ASSIST or CD_USUARIO_CONVENIO parameters is possible.
These vulnerabilities are SQL injection vulnerabilities and rely on improper escaping of special characters in SQL commands.
Since the affected version is Tasy EMR HTML5 3.06.1803 or earlier, all organizations using the healthcare suite are asked to upgrade to version 3.06.1804 or later.
Tasy EMR HTML5 has been so widely adopted by many public and private healthcare organizations, especially in Argentina, Brazil, Colombia, Mexico and the Dominican Republic, that CISA has also published an advisory on the product.
https://us-cert.cisa. gov/ics/advisories/icsma-21-308-01
Corporations/hospitals that observe suspected malicious activity should follow established internal procedures to report findings to CISA and track correlations with other incidents
Tasy EMR is used by nearly 1,000 healthcare organizations worldwide and is the leading informatics solution in Latin America.
Data Leakage in Medical Practice
Tasy EMR products hold sensitive medical records, patient treatment histories, medical supply details, financial and billing information, and general hospital administrative data.
As a central holder of sensitive data, if this is compromised, many people will be affected.
This problem is particularly acute when hospitals are often forced to treat emergency patients without their consent to data processing.
The responsibility to protect these data is often a burden for public agencies that must work with limited resources and in challenging situations where pandemics continue to occur.
For this reason, ransomware groups have focused on the medical field in recent years, allegedly being able to initiate the extortion process by simply stealing files.
Security measures
We recommend that you update Tasy EMR HTML5 to version 3.06.1804 or later, and apply the latest service pack that fixes both CVEs.
- Minimize the exposure of all control system equipment and systems to the network and ensure that they are not accessible from the Internet.
- Place control system networks and remote devices behind firewalls and isolate them from business networks
- When remote access is required, use secure methods such as virtual private networks (VPNs). be aware of possible vulnerabilities and should be updated to the latest version available.
- We also need to be aware that VPNs are dependent on the security of the devices they are connected to.
Comments