This problem affects the following product:
- HealthShare Unified Care Record: All versions up to and included 2022.2
A patient search can include a request for “emergency access”, also known as a consent override or “Break the Glass”. The Patient Search user interface enforces that the user must have the %HS_EmergencyAccess role.
However, when the UCR Registry receives a PatientSearchRequest message with emergency access specified, the Registry does not validate that the requesting user has the %HS_EmergencyAccess role.
Because this message is only used for system-to-system communication within HealthShare Unified Care Record, the risk of this issue is relatively low and it would be very difficult for an end user to exploit this behavior. All access events are still audited.
This issue is corrected in Unified Care Record 2023.1.
An ad hoc patch to correct the issue is available for most older versions, although some particularly old versions may not have this option. Please contact the Worldwide Response Center (WRC) and refer to HSDD-954.