A vulnerability was found in the Philips Tasy EMR system. An attacker can take advantage of the vulnerability and transmit unexpected data to the system that could execute an arbitrary code, alter data flow, impact system integrity, and authorize the attacker to access patient information.
Security researcher Rafael Honorato identified the flaw and informed Philips about it. Philips subsequently informed the National Cybersecurity and Communications Integration Center regarding the vulnerability. ICS-CERT published a vulnerability notification on April 30, 2019.
The vulnerability referred to as CVE-2019-6562 was found in Tasy EMR versions 3.02.174 and prior versions. It primarily impacts healthcare organizations in Mexico and Brazil. Thus far, there’s no report received concerning the exploitation of the vulnerability in wild and in public.
The cross-site scripting issue is caused by wrong neutralization of user-controllable input during the generation of a website. An attacker with low level skill can easily manipulate the vulnerability on the web page or connection using VPN. Regardless of the potential for data exposure, the vulnerability is only 4.1 out of 10 based on the assigned CVSS v3 base score.
Philips has notified users to update all Tasy EMR software to the three most recent versions immediately and to apply the Service Packs immediately, so that their software will get the patch hosted solutions as soon as Philips makes it available. Also, when Philips releases new software versions, users who installed Tasy EMR on-premise will be alerted.
Philips recommends adhering to what is written in the system configuration manual and accessing Tasy EMR over the net utilizing a VPN only.