dismiss

This Thursday, Jan 25th is our next Clean Sweep Live Auction: Click to view the full catalogue and pre-bid now

DOTmed Home MRI Oncology Ultrasound Molecular Imaging X-Ray Cardiology Health IT Business Affairs
News Home Parts & Service Operating Room CT Women's Health Proton Therapy Endoscopy HTMs Mobile Imaging
SEARCH
Current Location:
>
> This Story


Log in or Register to rate this News Story
Forward Printable StoryPrint Comment

 

 

Health IT Homepage

Does health care hold the key to IBM's market comeback? With stock values a mere shadow of their former glory, Big Blue seeks redemption in health IT

EMR default prescription setting could help curb the U.S. opioid crisis 30 tablets are often given when only 10-12 are needed

Securing your health data in 2018 Should your patients trust you with their data?

Change Healthcare acquires NDSC Enables delivery of medical guidelines through EHRs to the point of care

Bupa and HealthTap build personalized health records with AI Enhances quality, speed and convenience of care available

Cloud-based medical imaging informatics market to reach $830.5 million by 2021 Driven by need for cost-effective and flexible solutions

NTT Data Services partners with AI provider Pieces Technologies Utilizing AI and natural language processing to enhance patient care

HealthGrid partners with Iatric Systems to help MEDITECH hospital meet MU requirements

Philips and NovoPath collaborate to enhance anatomical pathology workflow Creates interface of software systems for common clients

Hitachi Healthcare Americas jumps into health IT with VidiStar acquisition Deal will enhance ultrasound service, product portfolio

Homeland Security warns that Philips DoseWise Portal has security vulnerabilities

by Thomas Dworetzky , Contributing Reporter
Philips DoseWise Portal (DWP), a web application for reporting and tracking radiation exposure, could be remotely hacked, according to Homeland Security — but a new update improves security.

In an Industrial Control System Computer Emergency Response Team (ICS-CERT) advisory the agency has advised that, “Philips has identified hard-coded credentials and cleartext storage of sensitive information vulnerabilities” in its application, and the company has announced that there is an August update of the product documentation and a new version “that mitigates these vulnerabilities.”

Story Continues Below Advertisement

Streamline Your Radiology Workflow with RamSoft's PowerServer RIS/PACS

The PowerServer RIS/PACS is a single database application, essential to reducing redundant work, limiting manual data entry, and increasing consistency throughout healthcare practices. Click to learn how it will help you improve patient care and more.



The versions affected are DoseWise Portal 1.1.7.333 and 2.1.1.3069. They will be upgraded to Version 2.1.2.3118 – which will replace the authentication method and remove the hard-coded/fixed password vulnerabilities from the system, according to the agency.

A hacker exploiting the vulnerabilities could access the portal database, which holds patient health information.

One of the flaws is that there are hard-coded credentials for a back-end database account in the application – allowing a hacker to gain access to the back-end system. The portal also stores other login credentials in cleartext in the back-end database – thus allowing access to patient data.

To date, there is no indication that anyone has exploited this system weakness, but little skill would be required to do so, according to Homeland.

Until the update can be installed, Philips suggests the following steps be taken:

  • Make certain of network security best practices

  • Block Port 1433, unless a separate SQL server is being used

This advisory can be found here.

ICE-CERT also advised that all networked medical devices and systems be reviewed to ensure they can't be attacked via the Internet, are behind firewalls, and isolated from the institution's business networks.

If remote access is needed, it advised the use of more rigorous security, such as a VPN.

The portal's weakness to attack is just the latest hacking issue to arise in the networked medical device and software space.

Earlier in August, some Siemens PET/CT scanners were identified as vulnerable to hacking.

“Exploits that target these vulnerabilities are publicly available,” the ICS-CERT advisory noted at the time. Again, the skill level needed by a hacker would be deemed “low.”

Four vulnerabilities were identified, all linked to the fact that the products run Windows 7.

The products involved included all Windows 7-based versions of Siemens PET/CT Systems, SPECT/CT Systems, and SPECT Systems, and Siemens SPECT Workplaces/Symbia.net.

Perhaps even more alarming, in 2016, a white-hat security expert and diabetic uncovered a flaw allowing others to manipulate insulin levels remotely in the Johnson & Johnson Animas OneTouch Ping insulin pump.

“The OneTouch Ping insulin pump system uses cleartext communications, rather than encrypted communications, in its proprietary wireless management protocol,” the security firm Rapid7 announced on its site in late September. It stated that “researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.”

Health IT Homepage


You Must Be Logged In To Post A Comment

Advertise
Increase Your
Brand Awareness
Auctions + Private Sales
Get The
Best Price
Buy Equipment/Parts
Find The
Lowest Price
Daily News
Read The
Latest News
Directory
Browse All
DOTmed Users
Ethics on DOTmed
View Our
Ethics Program
Gold Parts Vendor Program
Receive PH
Requests
Gold Service Dealer Program
Receive RFP/PS
Requests
Healthcare Providers
See all
HCP Tools
Jobs/Training
Find/Fill
A Job
Parts Hunter +EasyPay
Get Parts
Quotes
Recently Certified
View Recently
Certified Users
Recently Rated
View Recently
Certified Users
Rental Central
Rent Equipment
For Less
Sell Equipment/Parts
Get The
Most Money
Service Technicians Forum
Find Help
And Advice
Simple RFP
Get Equipment
Quotes
Virtual Trade Show
Find Service
For Equipment
Access and use of this site is subject to the terms and conditions of our LEGAL NOTICE & PRIVACY NOTICE
Property of and Proprietary to DOTmed.com, Inc. Copyright ©2001-2018 DOTmed.com, Inc.
ALL RIGHTS RESERVED