Healthcare Information Security

Mobile News

DHS Flags Encryption Vulnerability in Philips HealthSuite Android App

A security researcher notified Philips that the encryption model used on its mHealth app was too simple for the required level of protection.

encryption vulnerability found in Philips mHealth app

By Jessica Davis

- The Department of Homeland Security National Cybersecurity and Communications Integration Center issued an alert on a vulnerability found in the Philips HealthSuite Health Android app, which would take only a low level of skill to exploit.

Philips launched its HealthSuite platform in 2016, designed as clinical devices and used as part of ongoing collaboration with a provider to improve a patient’s health at home.

The app software uses a simple encryption model that isn’t strong enough for the required level of protection, officials wrote. “A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.”

The vulnerability is found in all versions of the Android app. An attacker with physical access could successfully exploit the flaw, which would impact the integrity and confidentiality of the data. However, the flaw can’t be remotely exploited, so the risk of compromise is low.

A security researcher discovered the flaw and notified Philips. However, the new release to mitigate the problem and bolster the encryption model will not be available until the first quarter of 2019.

For a temporary measure, Philips recommended against jail-breaking or rooting the mobile device – or one modified from vendor-supported or warranted configurations. In doing so, it may impact the app performance, weaken device security, and expose the user to increased risk.

“At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this vulnerability, Philips analysis indicates that there is no expectation of patient hazard due to this issue,” officials said in a statement.

Organizations should conduct impact analysis and risk assessments before deploying defensive measures, NCCIC officials recommended.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents,” officials said.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy


no, thanks

Continue to site...