Cyber Warnings About Certain Philips Medical DevicesPhilips and DHS Issue Alerts Calling Attention to Vulnerabilities That Will Be Patched
The Department of Homeland Security and medical device maker Philips have issued alerts about cyber vulnerabilities in some of the company's medical devices.
An alert Tuesday from DHS' Industrial Control Systems Cyber Emergency Response Team notes that vulnerabilities involving "improper privilege management" and "unquoted search path or element" pose risk in certain versions of Philips' IntelliSpace Cardiovascular cardiac image and information management software.
Affected products include IntelliSpace Cardiovascular, Version 3.1 or prior, and Xcelera Version 4.1 or prior, the DHS alert notes.
Successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to escalate privileges on the ISCV/Xcelera server and execute arbitrary code, DHS warns.
Philips says it has not received any reports of "exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities."
In addition, on Thursday, DHS and Philips each issued alerts about vulnerabilities in certain Philips PageWriter Cardiographs products, which are used for diagnostic electrocardiogram testing.
The issues include improper input validation and use of hard coded credentials, which if exploited "could allow buffer overflows, or allow an attacker to access and modify settings on the device," DHS notes.
The kinds of security issues identified in the Philips IntelliSpace Cardiovascular products are not unusual, says Ben Ransford, CEO and founder of healthcare security firm Virta Labs.
"These types of 'local' vulnerabilities are common throughout commercial products, including medical devices," he says.
"I don't think these particular vulnerabilities are any more dangerous to healthcare providers than previous ones. Every new disclosure is a great chance for healthcare providers to test their security controls."
While the DHS advisory says a "researcher" identified the IntelliSpace Cardiovascular problems, an alert issued on Tuesday by Philips notes that a "customer" tipped off the company about the vulnerabilities.
"Philips has confirmed the findings of a customer-submitted complaint of vulnerabilities affecting the Philips IntelliSpace Cardiovascular system version 2.3.1. Philips analysis also confirmed that 3.1 and earlier of the Philips IntelliSpace Cardiovascular system and version 4.x and 3.x of Xcelera are affected as well."
Philips also notes that it notified federal agencies of the problems "as part of Philips' coordinated vulnerability disclosure policy" and in compliance with the Food and Drug Administration post-market guidance requirements for the awareness and remediation of potential system security vulnerabilities.
While the FDA did not issue its own alert about the Philips products, the agency tells Information Security Media Group that it is aware of the situation.
"We are encouraged to see manufacturers and cybersecurity researchers working together in an open and trusted environment to quickly identify, assess and fix cybersecurity vulnerabilities," the FDA tells ISMG.
"This type of coordinated disclosure demonstrates the proactive behavior the FDA has been looking to see from the medical device manufacturer and research community and demonstrates the collaborative manner in which vulnerabilities can be addressed in a way that best protects patients. There is still work to be done, and we are committed to working collaboratively to address our shared goal of protecting the public health."
Philips Mitigation Plan
As for Philips' remediation plan concerning the IntelliSpace Cardiovascular products issues, the company says it will fix this issues in the next software update, IntelliSpace Cardiovascular 3.2.0, to be released in October.
"This version will be announced and become available to customers via the regular communication and distribution channels," Philips says.
In the meantime, both vulnerabilities can be addressed in a "workaround" by changing Windows settings, as described by the vendor's service bulletin concerning the matter, Philips says.
Philips says it plans an update to correct the PageWriter issues in the release scheduled for mid-year 2019.
Disclosures by medical device makers - as well as alerts from regulators - about cyber vulnerabilities in medical devices are becoming more common.
For instance, ICS-CERT has issued cyber alerts in recent months about other devices from Philips as well those from Becton Dickinson, Silex Technologies and GE Healthcare (see Medical Device Cyber Vulnerabilities: More Alerts).
"I believe Philips and their customer both did the right thing by following the principle of least surprise in this disclosure," says Ransford of Virta Labs. "In cybersecurity, the right approach is generally the least splashy one. Fear is the currency of charlatans."
But not all medical device makers are as forthcoming about informing regulators and the healthcare sector about cybersecurity vulnerabilities identified by researchers, customers or others.
Device manufacturers need to be more proactive about disclosing security vulnerabilities, says Phil Curran, chief information assurance officer and chief privacy officer of Cooper University Health Care, an academic care delivery system based in Camden, N.J. "Not disclosing or late disclosure is a patient safety issue."
And while medical device makers are getting better about addressing cybersecurity in the development of new products, too often, they're hesitant to disclose - and mitigate - cybersecurity issues in older products, says Billy Rios, founder of security firm WhiteScope. For example, Rios claims in a recent interview with ISMG that Medtronic has yet to address vulnerabilities identified in certain pacemaker products.
Curran says he's still frustrated by the lack of disclosure by some medical device makers about cybersecurity issues in their products - and a lack of attention to mitigation efforts.
Comparing medical device makers to other types of technology vendors, Curran says he'd give the device makers a grade of 'C' for their notification of vulnerabilities and an 'F' for their mitigation of the problems because "their fixes are slower than other vendors."
But improved medical device cybersecurity isn't just the responsibility of manufacturers, Ransford notes.
"Even the best disclosure processes grind to a halt when customers aren't prepared to participate," he says. "Things will change for the better when healthcare providers accept that they have a part to play and are willing to start allocating some resources to preparedness."