Endpoint Security , Healthcare , Industry Specific

CISA Offers Update on Philips Patient Monitoring Flaws

Latest Advisory Warns of Potential Impact of Exploits
CISA Offers Update on Philips Patient Monitoring Flaws
Philips' IntelliVue Patient Monitors MX100 is among products included in CISA's updated vulnerability advisory.

Federal authorities have issued an updated advisory about security vulnerabilities in certain patient monitoring devices manufactured by Philips, which, if exploited, could result in unauthorized access to patient data and interruptions in monitoring.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

In an alert issued this week, the Cybersecurity and Infrastructure Security Agency notes that successful exploitation of several flaws identified in Philips patient monitoring gear "could result in unauthorized access, interrupted monitoring and collection of access information and/or patient data."

CISA notes, however, that to successfully exploit these vulnerabilities, an attacker would need to gain either physical access to surveillance stations and patient monitors or access to the medical device network.

CISA notes that Philips plans updates for the affected products to remediate all reported vulnerabilities.

The manufacturer says it has not received any reports of exploitation of the flaws or any clinical issues associated with the vulnerabilities.

Affected Products

The alert pertains to these Philips monitoring products:

  • Patient Information Center iX - or PICiX;
  • PerformanceBridge Focal Point;
  • IntelliVue Patient Monitors MX100, MX400-MX850, and MP2-MP90;
  • IntelliVue X2, and X3.

The affected products are deployed in the healthcare and public health sectors worldwide, CISA notes.

Vulnerabilities Cited

The vulnerabilities identified involve:

  • Improper neutralization of formula elements in a CSV file;
  • Cross-site scripting;
  • Improper authentication;
  • Improper check for certificate revocation;
  • Improper handling of length parameter inconsistency;
  • Improper validation of syntactic correctness of input;
  • Improper input validation;
  • Exposure of resource to wrong sphere.

Updated Advisory

The CISA advisory is a follow-up to an alert issued on Sept. 10, 2020 (see: Patient Monitoring Software Vulnerabilities Identified).

As was the case last year, a team of security researchers in Germany identified the latest vulnerabilities and reported them to Philips and the Federal Office for Information Security in Germany.

A Phillips spokesman tells Information Security Media Group: "To place this into perspective, there were incremental changes to the original CISA advisory of September 2020, including a change in mitigations to the projected date of mitigation for PerformanceBridge Focal Point - from Q2 2021 to Q3 2021. There was a second change for IntelliVue Patient Monitors Version M.04, which now includes an instruction to contact a Philips service support team for an upgrade path."

Users with questions regarding their specific Philips IntelliVue Monitor, PIC iX and PerformanceBridge Focal Point installation should contact their local Philips service support team or regional service support, the company says.

Evolving Risks

The CISA alert stemming from the researchers' investigative report "shows the inherent risks of the underlying computing technologies … which can be mitigated through the right combination of cyber-physical controls still under development," says Michael Holt, president and CEO of healthcare cybersecurity firm Virta Labs.

"Similar to the industrial revolution, we are in the early stages of the safer design and management of digital critical infrastructure," he says. "With computing and security advancements such as containers and microservices, including innovative commercial solutions for inventory, risk monitoring, access management and segmentation, the infrastructure developers are leading the way to more scalable, configurable, economical and secure solutions."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.