Overview of TASY EMR VUlnerabilities

On November 5, 2021, Philips advised their customers of two security vulnerabilities in their TASY EMR HTML5 system. The vulnerabilities, now known as CVE-2021-39375 and CVE-2021-39376, may cause a patient data breach. Although not currently being exploited in the wild, the vulnerabilities could allow unauthorized users to exfiltrate sensitive patient data from the TASY database.  

CVE-2021-39375 is a SQL injection flaw that could allow a successful SQL injection attack, resulting in patient data exposure and extraction. This flaw is a common issue with database drive sites and is easily exploited.  

The second vulnerability, CVE-2021-39376, is a flaw which allows unauthorized users to gain access to TASY EMR systems or accounts, leading to a denial-of-service (DoS) attack. A DoS attack causes a network server to be overloaded with bogus traffic to the extent of legitimate users not being able to access information systems. This kind of attack is becoming a lot more common within the healthcare sector and is a serious threat. Overwhelming a network with bogus traffic could lead to life threatening disruptions within the day-to-day operations of a hospital or medical clinic.  

Philips stated that it’s unlikely for the vulnerabilities to impact clinical use and there is no expectation of patient hazard. As a precaution, it’s still recommended to patch all systems. Philips Tasy EMR enables centralized management of clinical and administrative processes, this includes billing and inventory, and supply management for medical prescriptions. The system is used by over 950 healthcare institutions, primarily in Latin America.  

Versions affected 

  • CVE-2021-39375 – version 3.06.1789 
  • CVE-2021-39376 – version 3.06.1803  

 

How Avertium is Protecting Our Clients

At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium sales representative.  

Recommendations for CVE-2021-39375 and CVE-2021-39376

Philips recommends the following: 

  • Please update your TASY EMR HTML5 system to the latest version (3.06.1804).  
  • CISA recommends that users minimize network exposure for all control system devices. 
  • Locate control system networks and remote devices behind firewalls and isolate them from the network. 
  • Use VPNs and secure access methods when remote access is required. 
  • Prior to deploying defensive measures, perform proper impact analysis and risk assessment. 
  • If you have questions about your system, contact your Philips Customer Success Manager, local Philips support team, or regional service support.  

References

Philips TASY EMR Vulnerabilities May Expose Patient Data (healthitsecurity.com) 

Philips Tasy EMR | CISA 

Critical Flaws in Philips TASY EMR Could Expose Patient Data (thehackernews.com) 

Security Advisories (philips.com) 

 

learn about the top 5 cyber threats in the healthcare industry