News | Cybersecurity | April 16, 2018| Jeff Zagoudis, Associate Editor

Philips Warns of Cybersecurity Vulnerabilities in IntelliSpace and iSite PACS Products

Company says it has not received any reports of patient harm from vulnerabilities, but is offering remediation options for its customers

Philips Warns of Cybersecurity Vulnerabilities in IntelliSpace and iSite PACS Products

April 16, 2018 — Philips Healthcare last week issued a proactive advisory warning to its iSite and IntelliSpace picture archiving and communication system (PACS) customers of potential security vulnerabilities in the products. The company cautioned that while it has received no reports of patient harm, the vulnerabilities in question could impact or potentially compromise patient confidentiality, system integrity and/or system availability.

Philips identified the cybersecurity vulnerabilities, predominantly in third-party components, that if fully exploited may allow low-skill attackers remote entry to the applications. Once inside, any attackers could potentially:

  • Provide unexpected input into the applications;
  • Execute arbitrary code;
  • Alter the intended control flow of the system;
  • Access sensitive information; or
  • Potentially cause a system crash.

The company said its own analysis does not suggest the vulnerabilities would impact clinical use. This is largely due to the fact that IntelliSpace PACS is operated in a managed service environment that adheres to the latest recommendations of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The company also noted that it uses an automated antivirus solution and offers a monthly recurring patch program for IntelliSpace customers.

ICS-CERT released its own advisory that describes the vulnerabilities in further detail. Read the full ICS-CERT advisory here.

Philips is offering customers three potential pathways to address the security vulnerabilities:

  1. Enrolling in the recurring patch program, which Philips said will remediate 86 percent of all known vulnerabilities;
  2. Option 1 plus updating system firmware, which will remediate 87 percent of all known vulnerabilities, including all known critical vulnerabilities;
  3. Option 2 plus upgrading to IntelliSpace PACS 4.4.5x with Windows operating system 2012, which addresses product hardening. Philips said this option will remediate 99.9 percent of all the known vulnerabilities, including all critical vulnerabilities.

Remediation options are provided at no charge for Philips customers on full service delivery model contracts.

For more information: www.usa.philips.com/healthcare

 

Related Content

New Report Reveals Vulnerabilities of Internet of Things-enabled Healthcare Devices
News | Cybersecurity | August 29, 2019
Use of the Internet of Things (IoT) is booming, with IHS Markit forecasting there will be 73 billion connected devices ...
New Report Examines Hospital Cybersecurity Challenges in Georgia
News | Cybersecurity | August 20, 2019
Healthcare data breaches are currently being reported at a rate of more than one a day, according to a new report from...
According to the National Association of County and City Health Officials, only 33 percent of the organizations plan against cybersecurity threats and initiate patient identity protection protocols.

According to the National Association of County and City Health Officials, only 33 percent of the organizations plan against cybersecurity threats and initiate patient identity protection protocols. 

Feature | Cybersecurity | May 06, 2019 | Maxim Chernyak
As the...
FDA and DHS Expand Partnership on Medical Device Cybersecurity
News | Cybersecurity | October 30, 2018
The U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security (DHS) will be implementing a...
Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 programmers used to download software from the Medtronic software distribution network (SDN) . This update is a voluntary recall correction by the manufacturer to address the safety risk caused by the cybersecurity vulnerability.

Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 implantable EP device programmers.

Feature | Cybersecurity | October 17, 2018
October 17, 2018 — The U.S.
Can Your Cardiac Device Be Hacked?
News | Cybersecurity | February 27, 2018
Medical devices, including cardiovascular implantable electronic devices, could be at risk for hacking. In a paper...
MDISS Launches 'WHISTL' Network of Medical Device Security Testing Labs
News | Cybersecurity | August 23, 2017
The Medical Device Innovation, Safety and Security Consortium (MDISS) recently launched the first of more than a dozen...
HHS Unveils Improved Web Tool to Highlight Recent Health Information Breaches
News | Cybersecurity | August 21, 2017
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently launched a revised web...
Overlay Init