Skip to content
Explore more InterSystems sites:
Australia New Zealand
Australia & New Zealand
Benelux
Benelux:
Benelux:
Brazil
Brazil
China
China
Chile
Chile
Czech Republic
Czech Republic
Finland
Finland
France
France
Germany
Germany
Hungary
Hungary
indonesian flag
Indonesia
Italy
Italy
Japan
Japan
Kazakhstan
Kazakhstan
Middle East Region
Middle East
Russia
Russia
South Africa
South Africa
Middle East Region
Southeast Asia
Spain
Spain
Sweden
Sweden
Ukraine
Ukraine
United Kingdom Ireland
United Kingdom & Ireland
United States
United States
Explore more InterSystems sites:
Australia New Zealand
Australia & New Zealand
Benelux
Benelux:
Benelux:
Brazil
Brazil
China
China
Chile
Chile
Czech Republic
Czech Republic
Finland
Finland
France
France
Germany
Germany
Hungary
Hungary
indonesian flag
Indonesia
Italy
Italy
Japan
Japan
Kazakhstan
Kazakhstan
Middle East Region
Middle East
Russia
Russia
South Africa
South Africa
Middle East Region
Southeast Asia
Spain
Spain
Sweden
Sweden
Ukraine
Ukraine
United Kingdom Ireland
United Kingdom & Ireland
United States
United States
Etsi tietoja InterSystemsin tuotteista ja ratkaisuista, uramahdollisuuksista ja muusta.
Home
Product Alerts & Advisories
HealthShare Alert: Potential Unauthorized Data Display

HealthShare Alert: Potential Unauthorized Data Display

Oct 28, 2014

October 28, 2014 - HealthShare Alert: Potential Unauthorized Data Display

InterSystems has discovered and corrected a defect in our web application technology used by the HealthShare portal and the Clinical Viewer.  In rare circumstances, this defect can result in sharing of data by separate user sessions.  This could lead to (a) a user having a different set of privileges and being able to access patient records they are not permitted to view or (b) being presented with clinical data from a different patient in the Clinical Viewer.

The risk is low in typical configurations, but the defect impacts all currently released HealthShare versions.  It occurs only in environments using Microsoft Internet Information Server (IIS) version 7 and higher as its webserver.

This fault will only occur after IIS has recycled one of its worker processes, and the likelihood of encountering this problem increases with the recycling frequency of IIS worker processes.  As an example, frequent recycling of worker processes can occur in configurations where the ‘Idle Timeout’ defined for the Application Pool is set to a low value and, in particular, when the ‘Idle Timeout’ is set to a lower value than the HealthShare application timeout configured in HealthShare.  The settings controlling the recycling of worker processes can be found in the IIS control panel (Application Pool -> [Select Application Pool] -> Advanced Settings).  If the periodic recycling of worker processes is completely disabled in your IIS configuration then your installation will be unaffected by this issue, with the exception that IIS will always recycle a worker processes that either hangs or causes an unrecoverable error condition.

Please work with your system administrators to ensure IIS is configured to minimize any chance of this defect impacting your system and apply the patch available from InterSystems Worldwide Response Center (WRC).

InterSystems WRC can assist with reviewing the potential for this problem impacting your environment.

The correction for this defect is identified as CMT1273.  It will be included in upcoming HealthShare 2013.1 and 2014.1 maintenance releases, and is also available via Ad Hoc distribution from InterSystems WRC. If you have any questions regarding this advisory, please contact the Worldwide Response Center.