Publication Date: April 30, 2019
Update Date: April 30, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips TASY EMR system with software versions 3.02.1744 and earlier.
Philips has become aware that under certain specific conditions, an attacker with low skill may potentially compromise patient confidentiality, system integrity, and/or system availability. Some of the affected vulnerabilities could be attacked remotely. The application does not face the Internet, and is only available via a customer’s local network.
At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.
Philips advises customers to follow manufacturer instructions in the system configuration manual and not provide Internet access to the system without a Virtual Private Network (VPN). Customers are also advised to be on the last three (3) released versions, following the system software release schedule, and also upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Customers running the application on premise are alerted via release notes on changes to the system.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips TASY EMR system are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: