Two critical SQL injection vulnerabilities in Philips Tasy EMR, used by hospitals worldwide

Cybersecurity specialists report the detection of two critical vulnerabilities in Philips Tasy EMR, a medical record and health services management tool. Tracked as CVE-2021-39375 and CVE-2021-39376, both flaws received scores of 8.8/10 according to the Common Vulnerability Scoring System (CVSS).

The flaws were described as SQL injection errors that exist due to the incorrect use of special characters in SQL commands. These errors reside in all Tasy EMR versions prior to 3.06.1803, so administrators of affected versions will need to upgrade to v3.06.1804 or earlier to mitigate the risk of exploitation.

Like any similar product, Tasy EMR stores a wealth of sensitive information, including personally identifiable data, medical records, diagnoses, medication details, bills, and other private records, so system compromise could prove disastrous for hospitals, staff, and patients alike.

Specialists believe that errors in the storage of this confidential information become more evident when they are public health institutions, since their resource limitations make them an ideal target for threat actors, especially considering that most of their work is still the fight against the pandemic.

In this regard, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert, as they consider the update of this product a priority due to its wide use. According to the Agency, this solution is used in hospitals throughout Latin America, mainly in Argentina, Brazil, Mexico, Colombia, the Dominican Republic and other countries. Philips data confirms such a claim, as the company mentions that Tasy EMR is used in more than 1,000 healthcare organizations worldwide.

As mentioned above, the main recommendation is to upgrade vulnerable Tasy EMR implementations to a secure version, for which Philips has published a companion guide on its official platforms. It is also recommended that health institutions try to minimize the exposure of this data to external users and other areas of their systems that do not require access to this information. The use of security tools such as VPN software and anti-malware products is also recommended.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.