Philips, DHS report vulnerability in EMR platform

Company says the security flaw has not been exploited yet and urges customers to update to most recent version.
By Nathan Eddy
09:48 AM
Share

Healthcare IT vendor Philips and the Department of Homeland Security (DHS) announced an alert regarding vulnerabilities in Philips’ Tasy electronic medical record (EMR) platform.

WHY IT MATTERS

The alert, which was issued on April 30 by the industrial control systems computer emergency response team at the DHS, described a cross-site scripting vulnerability that could lead to a compromise of patient confidentiality and system integrity.

The advisory impacts customers in the Latin American EMR market, where Philips has about a thousand installations at healthcare providers in Brazil and Mexico.

The company’s analysis showed those issues, if fully exploited, may allow attackers of low skill in the customer site or on a VPN to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, and access sensitive information.

Philips noted the vulnerabilities had not yet been exploited, however, and advised users to update to the most recent three released versions of the product.

The company also noted users should upgrade service packs as soon as possible, and announced that hosted solutions would be patched automatically.

THE BIGGER TREND

Trojans, riskware, spyware and worms all plague healthcare, which leads all industries in number of data breaches, according to a report spotlighting top malware threats to hospitals.

BakerHostetler’s 2019 Data Security Incident Response Report finds that insufficient IT infrastructure, paired with the troves of sensitive patient information make health systems a ripe target for hackers.

However, cybersecurity experts at the analyst firm documented some bright spots in an April study, which found phishing and employee error were still putting data at risk, but in-house detection was improving.

Whereas only 52 percent of incidents were detected internally in 2015, that number jumped to nearly 75 percent in 2018.

Another bit of positive news from the report for the healthcare sector: While the time from breach occurrence to discovery averages 66 days across all industries, it's just 36 days in healthcare.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.

Email the writer: nathaneddy@gmail.com

Twitter: @dropdeaded209 

Healthcare IT News is a HIMSS Media publication.