Skip to content
Search to learn about InterSystems products and solutions, career opportunities, and more.

Advisory: Registry Does Not Check %HS_EmergencyAccess Role on Consent Override

This problem affects the following product:

  • HealthShare Unified Care Record: All versions up to and included 2022.2

A patient search can include a request for “emergency access”, also known as a consent override or “Break the Glass”. The Patient Search user interface enforces that the user must have the %HS_EmergencyAccess role.
However, when the UCR Registry receives a PatientSearchRequest message with emergency access specified, the Registry does not validate that the requesting user has the %HS_EmergencyAccess role.

Because this message is only used for system-to-system communication within HealthShare Unified Care Record, the risk of this issue is relatively low and it would be very difficult for an end user to exploit this behavior. All access events are still audited.

This issue is corrected in Unified Care Record 2023.1.

An ad hoc patch to correct the issue is available for most older versions, although some particularly old versions may not have this option. Please contact the Worldwide Response Center (WRC) and refer to HSDD-954.



Latest Alerts & Advisories

Sign Up Today

Receive notifications on support alerts, critical issues,
fixes, and product releases.
*Required Fields
Highlighted fields are required
*Required Fields
Highlighted fields are required
By submitting this form, you give consent to receive notifications concerning support alerts, critical issues, important updates, fixes, and product releases via email. In addition, you consent to your business contact information being entered into our CRM solution that is hosted in the United States, but maintained consistent with applicable data protection laws.
**By clicking here, you give consent to be contacted for news, updates and other marketing purposes related to existing and future InterSystems products, offerings, and events.