The Department of Homeland Security and Philips issued an alert April 30 that the information technology vendor's EMR system Tasy has a cross-site scripting vulnerability that could put patient information at risk, according to GovInfoSecurity.com.
"Philips has become aware that under certain specific conditions, an attacker with low skill may potentially compromise patient confidentiality, system integrity and/or system availability," the alert said. "Some of the affected vulnerabilities could be attacked remotely."
Tasy system with software versions 3.02.1744 and earlier were included in the security alert. If the system is fully exploited, hackers could put unexpected data into the application, execute arbitrary code, alert the intended control flow of the system and access sensitive information.
Since the alert, Philips has discovered no evident of exploitation of the vulnerability, GovInfoSecurity.com reports. There has also been no misuse of clinical information.
"Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue," the company wrote in the alert.
Customers have been guided to follow manufacturer instructions in the system configuration manual and avoid giving internet access to the EMR without a virtual private network.
"Cross-site scripting is not new; it's been on the Open Web Application Security Project list of top 10 common website cyber issues for several years," Mark Johnson, a security consultant at LBMC Information Security, told GovInfoSecurity.com. "And the fact that the industry is still facing problems from issues this old doesn't fill me with great confidence that our industry can handle the more sophisticated attacks that are coming our way."
More articles about cybersecurity:
5 common questions about HIPAA, answered
Hospitals can leverage AI to combat cyberattacks, report finds
Virus prevented California medical group from accessing records, exposed 198,000 patients