Philips Discloses Additional Medical Device Security Vulnerabilities

November 24, 2021 - As part of its voluntary Coordinated Vulnerability Disclosure (CVD) program, Philips alerted the healthcare industry to two new medical device vulnerabilities that may allow for its patient monitoring and medical device interfacing devices to be exploited. The vulnerabilities impact the Philips IntelliBridge EC40 and EC80 Hub as well as its Patient Information Center iX (PIC iX) and Efficia CM Series.

The Cybersecurity & Infrastructure Security Agency (CISA) also released two advisories outlining the risks and mitigation techniques for each vulnerability.

In an email sent to HealthITSecurity, Philips confirmed that versions C.00.04 and prior of the IntelliBridge EC40 and EC80 systems, a medical device interfacing solution, contained hard-coded credentials and authentication bypass using an alternate path or channel.

“Philips’ analysis has shown that these issues require a low skill level to exploit. Successful exploitation of these issues may allow an attacker unauthorized access to the Philips IntelliBridge EC40/80 hub and may allow access to execute software, modify device configuration, or view/update files, including unidentifiable patient data,” the email stated.

“The vulnerabilities can potentially be exploited over the Philips patient monitoring network, which is required to be physically or logically isolated from the hospital local area network (LAN).”

Philips has not received any reports of exploitation and said that the vulnerability would be unlikely to impact clinical use since the device hub is not intended for use in connection with active patient monitoring. The hub is used to integrate data from point-of-care devices with hospital information systems.

Philips is expected to release software updates and patches for this vulnerability in Q4 2021. CISA, following Philips’ suggestions, recommended that organizations operate all Philips deployed products within Philips authorized specifications, and isolate the organization’s medical device networks from the larger hospital network.

The second vulnerability impacts Philips patient monitoring devices, specifically the Philips Patient Information Center iX (PIC iX) versions B.02, C.02, C.03 and the Efficia CM Series revisions A.01 to C.01and 4.0.

“Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and denial of service resulting in temporary interruption of viewing of physiological data at the central station. Exploitation does not enable modification or change to point of care devices,” Philips said.

Philips already released a remediation in Q3 2021 and plans to release more updates by the end of Q4 2022.  

In the meantime, Philips and CISA urged organizations to not disable the Philips-provided hardware ships with Bitlocker Drive Encryption that were enabled by default. In addition, Philips recommended that customers follow NIST SP 800-88 for media sanitization prior to system disposal and isolate the patient monitoring network from the hospital local area network.

Philips also issued a minor update to the previously reported Patient Monitoring CVD from August 2020. Rather than releasing updates for the PerformanceBridge Focal Point in Q3 2021, Philips now plans to release mitigations in Q4 2021.

In early November, Philips also disclosed two security vulnerabilities in its TASY EMR HTML5 system that may allow for patient data exposure. Additionally, independent researchers recently discovered 13 new medical device security vulnerabilities stemming from the Siemens Nucleus TCP/IP stack that could enable denial-of-service attacks and exploitation.