Philips issued an advisory in regards to two vulnerabilities found in its Tasy EHR and how to address them, according to a statement the company shared with Becker's on Nov. 4.
Five details:
- Philips said EHRs version 3.06.1789 and prior might allow code injection in certain conditions. A successful attack could result in the exposure or extraction of patient data.
- The company said the second vulnerability affects version 3.06.1803 and prior of the Tasy EHR and could allow hackers to gain unauthorized access to data or accounts and can lead to a denial of service.
- To exploit these vulnerabilities, a hacker must have a valid Tasy username and password. To mitigate the risks, Philips recommends users upgrade to version 3.06.1804 or later with the latest service pack available as well as periodically change their passwords, avoid transferring accounts and avoid posting access to Tasy on the internet.
- Philips has not received any reports of exploitation of these vulnerabilities, according to the statement.
- As part of its voluntary disclosure program, Philips reported the vulnerabilities to the Cybersecurity Infrastructure and Security Agency. The company said it encourages vulnerability testing by security researchers and customers and asks them to report findings to Philips, according to the statement.