Philips Tasy EMR (Update A)

MonitorCVSS 4.3ICS-CERT ICSMA-19-120-01Apr 30, 2019

Philips

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Philips Tasy EMR and Tasy WebPortal contain input validation vulnerabilities (CWE-79 cross-site scripting and CWE-200 information exposure) that could allow an authenticated attacker to execute arbitrary code, alter control flow, or access sensitive patient information. The vulnerabilities affect Tasy EMR versions 3.02.1744 and prior, and Tasy WebPortal versions 3.02.1757 and prior. An attacker with valid login credentials could exploit these issues to compromise patient confidentiality and system integrity.

What this means

What could happen

An attacker with valid login credentials could access patient data or alter system behavior through malicious input, compromising patient privacy and system reliability. This is an electronic medical record system, so confidentiality of protected health information is the primary concern.

Who's at risk

Healthcare organizations using Philips Tasy EMR or Tasy WebPortal should care, including hospital IT/clinical engineering staff responsible for electronic medical record systems. This affects any hospital or clinic running on-premise Tasy installations at or below the affected versions.

How it could be exploited

An authenticated attacker injects malicious input into the Tasy EMR or WebPortal application interface. The application fails to properly validate this input, allowing the attacker to execute arbitrary code or access database records containing patient information. No network-level attack is required—the attacker must already have valid login credentials.

Prerequisites

Valid user credentials for Tasy EMR or WebPortal
Network access to the Tasy application (internal network for on-premise installations)
Knowledge of application input fields vulnerable to injection

Affects patient data confidentialityRequires valid user credentials (reduces but does not eliminate risk)Low attack complexityVulnerabilities are input validation issues (CWE-79 XSS, CWE-200 information exposure)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Tasy EMR Versions: 3.02.1744 and prior≤ 3.01.17443.03.1745

Tasy WebPortal:≤ 3.02.17573.03.1758

Remediation & Mitigation

0/5

Do now

0/1

HOTFIXIf using a hosted (cloud) Tasy solution, verify that Philips has applied the patch automatically

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Tasy EMR to version 3.03.1745 or higher

HOTFIXUpdate Tasy WebPortal to version 3.03.1758 or higher

Long-term hardening

0/2

HARDENINGReview and enforce the security configuration settings described in the Tasy EMR product configuration manual

HARDENINGReview application server security settings and follow the application server manufacturer's best practices documentation

CVEs (2)

CVE-2019-6562 CVE-2019-13557

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1bbd7366-6fb5-4ce9-8389-d47185c78621

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.