Philips released an advisory urging healthcare providers to remediate two security vulnerabilities in its TASY Electronic Medical Record HTML5 system, versions 3.06.1803 and prior.  

Two vulnerabilities have been identified in the impacted EMRs, which could result in the exposure or exfiltration of the patients’ sensitive data from the TASY database. An exploit could provide an unauthorized user with access to the device or create a denial-of-service condition.

The first flaw could allow SQL injection under certain conditions. If an attacker is successful in launching an SQL injection attack, sensitive data could be extracted from the EMR database. The Cybersecurity and Infrastructure Security Agency (CISA) explained the actor could leverage an SQL injection attack through the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.

The second vulnerability is caused by improper neutralization of special elements used in SQL command, which could allow an attacker to gain access to the TASY EMR system or accounts and possibly lead to a partial database service unavailability.

Both security flaws have been ranked 8.8 out of 10 in severity.

CISA also issued an alert detailing the vulnerabilities to support entities with needed risk mitigation. All healthcare organizations are being urged to upgrade to the latest software versions provided by Philips, which will remove the vulnerabilities and potential exploitation risk.

Fortunately, Philips’ analysis shows it’s unlikely the vulnerability would impact clinical use, and “there is no expectation of patient hazard due to this issue.”

“It is important to note that to exploit these vulnerabilities, an attacker must necessarily have valid access to the system (session authenticated with valid TASY username and password),” Philips officials explained in a statement.

“Philips has voluntarily and proactively reported these potential vulnerabilities and their mitigation to customers and the appropriate government agencies,” they continued. “At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.”

Philips encouraged organizations to employ best practice management for credentials, including that passwords be personal, non-transferable, and periodically changed. Further, access to the TASY system should not be posted or connected to the open internet.

CISA recommended organizations take defensive measures to minimize the exploitation risk of the flaws, including reducing network exposure for all control system devices and systems, ensuring they’re not accessible from the internet.

System administrators should also locate control system networks and remote devices from behind firewalls and isolate them from the main network.

If remote access is required, secure measures like Virtual Private Networks should be used.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,” CISA officials urged.

The alert is part of the Philips’ Coordinated Vulnerability Disclosure Policy to provide information on known or possible device vulnerabilities. The publicly accessible program is specifically designed to fuel collaboration between researchers, regulators, clients, and related parties to both find and safely disclose potential flaws. 

Philips encourages researchers to responsibly report possible vulnerabilities to the vendor.