Dive Brief:
- The Department of Homeland Security issued a cybersecurity alert Tuesday about Philips’ Tasy Electronic Medical Record (EMR) after learning of a vulnerability that could compromise patient confidentiality.​​​​
- Hackers could exploit the system's weakness, but only if they have physical access to the site or are on the virtual private network, DHS' Cybersecurity and Infrastructure Security Agency (CISA) said.​
- But the access restrictions, coupled with the limited harm that could arise from the weakness, led DHS to give the problem a relatively low rating on its vulnerability scoring system.
Dive Insight:
Web-based EMR systems such as Tasy have enabled healthcare professionals to access electronic information on their patients from different locations and devices without heavy investment in hardware and IT staff. However, the centralization of patient information on platforms that grant access to backend systems and data also makes EMRs attractive targets for hackers​ because they are susceptible to SQL injections, cross-site scripting and other attacks.
Security breaches affected more than 15 million patient records in 2018, three times as many as the previous year, according to research from Protenus, a healthcare compliance analytics company, Almost half of the breaches were the result of hacking, Protenus said.
Cybersecurity vulnerabilities in EMRs are one way people can illegally gain access to private health data, but it is relatively uncommon for DHS to warn of such weaknesses. The alert about Philips Tasy is the only CISA notice focused on the EMR, although last year the agency flagged a problem related to the use of Philips’ IntelliSpace Cardiovascular system in conjunction with an EMR. Last month, CISA highlighted a critical cyber vulnerability in a Medtronic system that enables data transmission from certain cardiac implants.
DHS’ risk evaluation warns exploitation of the Tasy vulnerability could enable hackers to access sensitive information or execute arbitrary code. In a separate document describing the type of vulnerability found in Tasy, DHS warns such weaknesses may allow bad actors to transfer private information, send malicious requests to a website and mount phishing attacks to learn the victim’s password. Those warnings apply to cross-site scripting vulnerabilities in general, not to Tasy specifically.
Although the Tasy vulnerability has not been specifically targeted, Philips and the agency nonetheless recommended users restrict access to Tasy to authorized personnel and disable unnecessary accounts and services.
DHS is also advising users to only give Tasy internet access via a VPN, to update to the latest version of the software and to upgrade service packs as soon as possible. Hosted systems will be patched automatically, while Philips will send alerts to sites running software on on-premise infrastructure.