Insufficient Access Controls Cause Philips MRI Vulnerabilities

November 15, 2021 - Three newly identified low-to-medium severity Philips MRI vulnerabilities may allow unauthorized actors to manipulate software, modify system configurations, and export protected health information (PHI) if exploited, according to an email from Philips sent to HealthItSecurity.

The vulnerabilities impact the Philips MRI 1.5T: Version 5.x.x. and MRI 3T: Version 5.x.x. The Cybersecurity & Infrastructure Security Agency (CISA) subsequently released an advisory about the vulnerabilities, which were reported to Philips by Michael Aguilar, a Secureworks Adversary Group consultant.

There have been no reported incidents from clinical use as a result of the vulnerabilities, and Philips plans to release a software upgrade by October 2022.

The first vulnerability involved improper access controls. The software failed to restrict or incorrectly restricted access to a resource from an unauthorized actor. The vulnerability makes it difficult for the software to prove the identity of an actor, ensure that an authorized actor can access a resource, and track activity.

The second software vulnerability consisted of issues with incorrect ownership assignment, in which the software assigned a resource to an owner who was outside the intended control sphere. As a result, a threat actor could read and modify data without direct permissions.

The final vulnerability had the potential to expose sensitive information to an actor who is not explicitly authorized to have the information. This vulnerability may lead to PHI exposure and information leaks if exploited.

CISA recommended that users exercise caution with the MRI products and ensure that only permitted personnel are in the vicinity of the product. CISA also recommended that users take defensive measures, including implementing physical security measures, restricting system access to authorized personnel only, and applying defense-in-depth strategies.

Users should also disable any unnecessary accounts and services and refer to medical device security guidance from the Food and Drug Administration (FDA). Organizations should always perform impact analysis and risk assessments prior to implementing these defensive measures.

Philips disclosed these vulnerabilities as part of its voluntary Coordinated Vulnerability Disclosure (CVD) program. Recently, Philips issued a separate advisory warning organizations of two security vulnerabilities in its TASY EMR HTML5 system that may allow for patient data exposure.

If exploited, unauthorized actors could exfiltrate PHI from the TASY database. The first vulnerability may allow for a successful SQL injection attack that could result in patient data exposure. The second vulnerability may allow attackers to gain access to TASY EMR systems or accounts and commit a denial-of-service (DoS) attack.

It is crucial that organizations take inventory of all medical devices on their networks in order to mitigate risk. A lack of visibility, out-of-date medical devices, and an ever-changing cyber threat landscape continue to make healthcare organizations vulnerable to cyberattacks.

“Healthcare is unique in the fact that we have a wide variety of devices that connect to our networks,” Samuel Hill, director of product at Medigate and former ER patient care technician, previously told HealthITSecurity.

“Other industries have that, but those industries don’t have devices that keep people alive. So, we have to be super accurate, and we need to be more accurate than we are currently.”