OTPulse
FeedAboutContact

Philips Tasy EMR

Plan Patch8.8ICS-CERT ICSMA-21-308-01Nov 4, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Philips Tasy EMR HTML5 versions 3.06.1803 and earlier contain SQL injection vulnerabilities (CWE-89) that allow authenticated users to execute arbitrary database queries. Successful exploitation could result in unauthorized access to or modification of patient confidential data, exposure of medical records from the Tasy database, or denial-of-service conditions affecting clinical operations.

What this means
What could happen
An attacker with login credentials could access or modify patient data in the Tasy EMR database, expose confidential medical records, or disrupt system availability. This directly compromises patient privacy and clinical operations.
Who's at risk
This vulnerability affects healthcare organizations using Philips Tasy EMR for electronic medical records and patient data management. Clinical staff, administrative users, and IT teams responsible for EMR systems should prioritize remediation to protect patient privacy.
How it could be exploited
An attacker with valid user credentials accesses the Tasy EMR HTML5 web interface over the network. They exploit an SQL injection vulnerability (CWE-89) to execute arbitrary database queries, bypassing application access controls to read or modify patient records without authorization.
Prerequisites
  • Valid login credentials for Tasy EMR HTML5 (e.g., nursing, clinical, or administrative user account)
  • Network access to the Tasy EMR web interface (typically internal healthcare network)
  • Tasy EMR HTML5 version 3.06.1803 or earlier
Remotely exploitable via web interfaceRequires valid user credentials (insider threat or compromised account)Low exploit complexity (SQL injection)High impact on patient confidentiality and data integrityHealthcare-critical system
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
Tasy EMR HTML5: 3.06.1803 and prior≤ 3.06.18033.06.1804 or later
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGRestrict network access to the Tasy EMR web interface to authorized clinical and administrative staff only using firewall rules or IP whitelisting
HARDENINGEnforce strong password policies and multi-factor authentication for all Tasy EMR user accounts to reduce risk from compromised credentials
WORKAROUNDReview and audit database access logs and user activity in Tasy EMR for signs of unauthorized queries or data access
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Tasy EMR HTML5 to version 3.06.1804 or later with the latest available service pack
HOTFIXContact Philips Customer Success Manager or local service support to coordinate patching and confirm patch availability for your specific Tasy deployment
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d23d6b8f-3ff0-4ca2-a523-85a1de982f57
Philips Tasy EMR | CVSS 8.8 - OTPulse