CISA Offers Update on Philips Patient Monitoring FlawsLatest Advisory Warns of Potential Impact of Exploits
Federal authorities have issued an updated advisory about security vulnerabilities in certain patient monitoring devices manufactured by Philips, which, if exploited, could result in unauthorized access to patient data and interruptions in monitoring.
In an alert issued this week, the Cybersecurity and Infrastructure Security Agency notes that successful exploitation of several flaws identified in Philips patient monitoring gear "could result in unauthorized access, interrupted monitoring and collection of access information and/or patient data."
CISA notes, however, that to successfully exploit these vulnerabilities, an attacker would need to gain either physical access to surveillance stations and patient monitors or access to the medical device network.
CISA notes that Philips plans updates for the affected products to remediate all reported vulnerabilities.
The manufacturer says it has not received any reports of exploitation of the flaws or any clinical issues associated with the vulnerabilities.
The alert pertains to these Philips monitoring products:
- Patient Information Center iX - or PICiX;
- PerformanceBridge Focal Point;
- IntelliVue Patient Monitors MX100, MX400-MX850, and MP2-MP90;
- IntelliVue X2, and X3.
The affected products are deployed in the healthcare and public health sectors worldwide, CISA notes.
The vulnerabilities identified involve:
- Improper neutralization of formula elements in a CSV file;
- Cross-site scripting;
- Improper authentication;
- Improper check for certificate revocation;
- Improper handling of length parameter inconsistency;
- Improper validation of syntactic correctness of input;
- Improper input validation;
- Exposure of resource to wrong sphere.
The CISA advisory is a follow-up to an alert issued on Sept. 10, 2020 (see: Patient Monitoring Software Vulnerabilities Identified).
As was the case last year, a team of security researchers in Germany identified the latest vulnerabilities and reported them to Philips and the Federal Office for Information Security in Germany.
A Phillips spokesman tells Information Security Media Group: "To place this into perspective, there were incremental changes to the original CISA advisory of September 2020, including a change in mitigations to the projected date of mitigation for PerformanceBridge Focal Point - from Q2 2021 to Q3 2021. There was a second change for IntelliVue Patient Monitors Version M.04, which now includes an instruction to contact a Philips service support team for an upgrade path."
Users with questions regarding their specific Philips IntelliVue Monitor, PIC iX and PerformanceBridge Focal Point installation should contact their local Philips service support team or regional service support, the company says.
The CISA alert stemming from the researchers' investigative report "shows the inherent risks of the underlying computing technologies … which can be mitigated through the right combination of cyber-physical controls still under development," says Michael Holt, president and CEO of healthcare cybersecurity firm Virta Labs.
"Similar to the industrial revolution, we are in the early stages of the safer design and management of digital critical infrastructure," he says. "With computing and security advancements such as containers and microservices, including innovative commercial solutions for inventory, risk monitoring, access management and segmentation, the infrastructure developers are leading the way to more scalable, configurable, economical and secure solutions."