Alerts: Vulnerability in Philips Records SystemWarnings Point to Cross-Site Scripting Vulnerability
The Department of Homeland Security and healthcare IT vendor Philips have issued alerts about a security vulnerability in the company's Tasy electronic medical records system that could put patient data at risk.
The alert issued on April 30 by DHS' Industrial Control Systems Computer Emergency Response Team notes that the cross-site scripting vulnerability in Philips' system identified and reported by an independent researcher could lead to a compromise of patient confidentiality and system integrity. But so far, Philips says, there's no evidence the vulnerability has been exploited.
Philips says its Tasy EMR is an administrative and clinical workflow-based stand-alone software information system that healthcare professionals use to enter, view, manage and disseminate clinical and financial information. It can be hosted locally or remotely.
"And the fact that the industry is still facing problems from issues this old doesn't fill me with great confidence that our industry can handle the more sophisticated attacks that are coming our way."
—Mark Johnson, LBMC Information Security
Although the Philips Tasy EMR product line is sold outside the U.S. - and is implemented in 950 healthcare institutions in countries including Mexico, Brazil, Amsterdam, Germany and India - some experts say the type of vulnerability identified is relatively common and can affect other records systems, health IT products and medical devices.
"Cross-site scripting is not new; it's been on the Open Web Application Security Project list of top ten common website cyber issues for several years," says Mark Johnson of the security consultancy LBMC Information Security. "And the fact that the industry is still facing problems from issues this old doesn't fill me with great confidence that our industry can handle the more sophisticated attacks that are coming our way."
The healthcare sector "still has a long way to go to improve cybersecurity," he adds.
In its April 30 advisory, Philips says the vulnerability involves its Tasy EMR system with software versions 3.02.1744 and earlier.
"Philips has become aware that under certain specific conditions, an attacker with low skill may potentially compromise patient confidentiality, system integrity and/or system availability," the company's advisory says. "Some of the affected vulnerabilities could be attacked remotely.
DHS in its alert notes that if fully exploited, the vulnerability "may allow attackers of low skill in the customer site or on a VPN to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system and access sensitive information."
So far, the company has received no reports of exploitation of the vulnerabilities or incidents from clinical use that Philips has been able to associate with this problem, the Philips advisory notes.
"Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue."
Philips advises customers to follow manufacturer instructions in the system configuration manual and avoid providing internet access to the system without a virtual private network.
"Customers are also advised to be on the last three released versions, following the system software release schedule, and also upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Customers running the application on premises are alerted via release notes on changes to the system."
Records System Risks
Security vulnerabilities that show up in electronic healthcare record products are an ongoing challenge.
For instance, last August, London-based security research firm Project Insecurity identified nearly two dozen security weaknesses in OpenEMR - an open source electronic medical record and practice management software.
Those weaknesses left patient data vulnerable to cyberattacks before most were patched, according to the research firm.
As for the cross-site scripting vulnerability found in the Philips EMR, Evan Francen, CEO of security consultancy FRSecure, says he "wouldn't be surprised" to find similar vulnerabilities in other EMRs, as well as in medical devices and other health IT products. These systems often provide critical services or functions for the healthcare entity, and security is often viewed as a hindrance to providing care. Availability trumps confidentiality."
Cross-site scripting vulnerabilities are fairly simple to identify and exploit in many cases, Francen says. "The fact that a vulnerability such as this one is in production and wasn't noticed or reported until now may indicate or imply that there was a lack of security testing - in healthcare environments and for the product itself," he adds.
Steps to Take
So what can healthcare entities do to identify similar potential vulnerabilities?
"Ensure that all systems - medical devices and EMRs included - are tested for security before implementation and regularly thereafter, Francen says.
When vulnerabilities are identified, entities should have a method in place to risk rate them and have plans for remediation of unacceptable risks, he suggests.
"Where patches and/or updates aren't available, look for other creative solutions, such as system isolation."