Skip to main content
close search
site logo
Dive Brief

DHS highlights cybersecurity weakness in Philips EMR

Published May 1, 2019
By
Contributor
Getty Images

Dive Brief:

  • The Department of Homeland Security issued a cybersecurity alert Tuesday about Philips’ Tasy Electronic Medical Record (EMR) after learning of a vulnerability that could compromise patient confidentiality.​​​​
  • Hackers could exploit the system's weakness, but only if they have physical access to the site or are on the virtual private network, DHS' Cybersecurity and Infrastructure Security Agency (CISA) said.​
  • But the access restrictions, coupled with the limited harm that could arise from the weakness, led DHS to give the problem a relatively low rating on its vulnerability scoring system.

Dive Insight:

Web-based EMR systems such as Tasy have enabled healthcare professionals to access electronic information on their patients from different locations and devices without heavy investment in hardware and IT staff. However, the centralization of patient information on platforms that grant access to backend systems and data also makes EMRs attractive targets for hackers​ because they are susceptible to SQL injections, cross-site scripting and other attacks.

Security breaches affected more than 15 million patient records in 2018, three times as many as the previous year, according to research from Protenus, a healthcare compliance analytics company, Almost half of the breaches were the result of hacking, Protenus said.

Cybersecurity vulnerabilities in EMRs are one way people can illegally gain access to private health data, but it is relatively uncommon for DHS to warn of such weaknesses. The alert about Philips Tasy is the only CISA notice focused on the EMR, although last year the agency flagged a problem related to the use of Philips’ IntelliSpace Cardiovascular system in conjunction with an EMR. Last month, CISA highlighted a critical cyber vulnerability in a Medtronic system that enables data transmission from certain cardiac implants.

DHS’ risk evaluation warns exploitation of the Tasy vulnerability could enable hackers to access sensitive information or execute arbitrary code. In a separate document describing the type of vulnerability found in Tasy, DHS warns such weaknesses may allow bad actors to transfer private information, send malicious requests to a website and mount phishing attacks to learn the victim’s password. Those warnings apply to cross-site scripting vulnerabilities in general, not to Tasy specifically.

Although the Tasy vulnerability has not been specifically targeted, Philips and the agency nonetheless recommended users restrict access to Tasy to authorized personnel and disable unnecessary accounts and services.

DHS is also advising users to only give Tasy internet access via a VPN, to update to the latest version of the software and to upgrade service packs as soon as possible. Hosted systems will be patched automatically, while Philips will send alerts to sites running software on on-premise infrastructure.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell