Skip to main content
close search
site logo
Dive Brief

DHS highlights cybersecurity weakness in Philips EMR

Published May 1, 2019
By
Contributor
Getty Images

Dive Brief:

  • The Department of Homeland Security issued a cybersecurity alert Tuesday about Philips’ Tasy Electronic Medical Record (EMR) after learning of a vulnerability that could compromise patient confidentiality.​​​​
  • Hackers could exploit the system's weakness, but only if they have physical access to the site or are on the virtual private network, DHS' Cybersecurity and Infrastructure Security Agency (CISA) said.​
  • But the access restrictions, coupled with the limited harm that could arise from the weakness, led DHS to give the problem a relatively low rating on its vulnerability scoring system.

Dive Insight:

Web-based EMR systems such as Tasy have enabled healthcare professionals to access electronic information on their patients from different locations and devices without heavy investment in hardware and IT staff. However, the centralization of patient information on platforms that grant access to backend systems and data also makes EMRs attractive targets for hackers​ because they are susceptible to SQL injections, cross-site scripting and other attacks.

Security breaches affected more than 15 million patient records in 2018, three times as many as the previous year, according to research from Protenus, a healthcare compliance analytics company, Almost half of the breaches were the result of hacking, Protenus said.

Cybersecurity vulnerabilities in EMRs are one way people can illegally gain access to private health data, but it is relatively uncommon for DHS to warn of such weaknesses. The alert about Philips Tasy is the only CISA notice focused on the EMR, although last year the agency flagged a problem related to the use of Philips’ IntelliSpace Cardiovascular system in conjunction with an EMR. Last month, CISA highlighted a critical cyber vulnerability in a Medtronic system that enables data transmission from certain cardiac implants.

DHS’ risk evaluation warns exploitation of the Tasy vulnerability could enable hackers to access sensitive information or execute arbitrary code. In a separate document describing the type of vulnerability found in Tasy, DHS warns such weaknesses may allow bad actors to transfer private information, send malicious requests to a website and mount phishing attacks to learn the victim’s password. Those warnings apply to cross-site scripting vulnerabilities in general, not to Tasy specifically.

Although the Tasy vulnerability has not been specifically targeted, Philips and the agency nonetheless recommended users restrict access to Tasy to authorized personnel and disable unnecessary accounts and services.

DHS is also advising users to only give Tasy internet access via a VPN, to update to the latest version of the software and to upgrade service packs as soon as possible. Hosted systems will be patched automatically, while Philips will send alerts to sites running software on on-premise infrastructure.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell