DOTmed Home MRI Oncology Ultrasound Molecular Imaging X-Ray Cardiology Health IT Business Affairs
News Home Parts & Service Operating Room CT Women's Health Proton Therapy Endoscopy HTMs Mobile Imaging
SEARCH
Current Location:
>
> This Story


Log in or Register to rate this News Story
Forward Printable StoryPrint Comment

 

 

Health IT Homepage

Augmedics' augmented reality surgical system shows promise Nearly 97 percent accurate in second cadaver study

Royal Philips and Digital China Health launch SHINEFLY teleradiology platform Addresses healthcare needs in China

Four ways to attract prospective patients online Helping care seekers get from Google to your facility

With NVIDIA, Canon brings deep learning to its VNA Combining Abierto VNA data with DGX analytics

Technology Advisor - Understanding the healthcare data lake A central repository to store healthcare data, and only mapping it as needs arise

Closing the IoT security gap for healthcare devices Everything from insulin pumps to MR systems are hackable — and they may be easy targets

Varian updates cancer imaging software with SIRT dosimetry capabilities Better comprehension of tumor response and normal-tissue toxicity

AI-powered software for breast density assessment gets FDA nod Densitas aims to bring standardization to density assessment

NVIDIA aims to bring AI insights to existing global fleet of imaging systems With Project Clara, older scanners may gain remote access to latest capabilities

Siemens selects SAS IoT analytics to manage data from its global install base Aims to maximize uptime for CT, MR and other systems

Homeland Security warns that Philips DoseWise Portal has security vulnerabilities

by Thomas Dworetzky , Contributing Reporter
Philips DoseWise Portal (DWP), a web application for reporting and tracking radiation exposure, could be remotely hacked, according to Homeland Security — but a new update improves security.

In an Industrial Control System Computer Emergency Response Team (ICS-CERT) advisory the agency has advised that, “Philips has identified hard-coded credentials and cleartext storage of sensitive information vulnerabilities” in its application, and the company has announced that there is an August update of the product documentation and a new version “that mitigates these vulnerabilities.”

Story Continues Below Advertisement

The (#1 Resource) for Medical Imaging and Peripherals. Call 1-949-273-8000

As a Master Distributor for major brands Barco, Philips, and Sony, we offer custom imaging solutions. With our renowned OEM Solutions and Service/Repair Center, Ampronix is a one-stop shop for HD Medical LCD Displays--Printers--Recorders--4K Cameras



The versions affected are DoseWise Portal 1.1.7.333 and 2.1.1.3069. They will be upgraded to Version 2.1.2.3118 – which will replace the authentication method and remove the hard-coded/fixed password vulnerabilities from the system, according to the agency.

A hacker exploiting the vulnerabilities could access the portal database, which holds patient health information.

One of the flaws is that there are hard-coded credentials for a back-end database account in the application – allowing a hacker to gain access to the back-end system. The portal also stores other login credentials in cleartext in the back-end database – thus allowing access to patient data.

To date, there is no indication that anyone has exploited this system weakness, but little skill would be required to do so, according to Homeland.

Until the update can be installed, Philips suggests the following steps be taken:

  • Make certain of network security best practices

  • Block Port 1433, unless a separate SQL server is being used

This advisory can be found here.

ICE-CERT also advised that all networked medical devices and systems be reviewed to ensure they can't be attacked via the Internet, are behind firewalls, and isolated from the institution's business networks.

If remote access is needed, it advised the use of more rigorous security, such as a VPN.

The portal's weakness to attack is just the latest hacking issue to arise in the networked medical device and software space.

Earlier in August, some Siemens PET/CT scanners were identified as vulnerable to hacking.

“Exploits that target these vulnerabilities are publicly available,” the ICS-CERT advisory noted at the time. Again, the skill level needed by a hacker would be deemed “low.”

Four vulnerabilities were identified, all linked to the fact that the products run Windows 7.

The products involved included all Windows 7-based versions of Siemens PET/CT Systems, SPECT/CT Systems, and SPECT Systems, and Siemens SPECT Workplaces/Symbia.net.

Perhaps even more alarming, in 2016, a white-hat security expert and diabetic uncovered a flaw allowing others to manipulate insulin levels remotely in the Johnson & Johnson Animas OneTouch Ping insulin pump.

“The OneTouch Ping insulin pump system uses cleartext communications, rather than encrypted communications, in its proprietary wireless management protocol,” the security firm Rapid7 announced on its site in late September. It stated that “researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.”

Health IT Homepage


You Must Be Logged In To Post A Comment

Advertise
Increase Your
Brand Awareness
Auctions + Private Sales
Get The
Best Price
Buy Equipment/Parts
Find The
Lowest Price
Daily News
Read The
Latest News
Directory
Browse All
DOTmed Users
Ethics on DOTmed
View Our
Ethics Program
Gold Parts Vendor Program
Receive PH
Requests
Gold Service Dealer Program
Receive RFP/PS
Requests
Healthcare Providers
See all
HCP Tools
Jobs/Training
Find/Fill
A Job
Parts Hunter +EasyPay
Get Parts
Quotes
Recently Certified
View Recently
Certified Users
Recently Rated
View Recently
Certified Users
Rental Central
Rent Equipment
For Less
Sell Equipment/Parts
Get The
Most Money
Service Technicians Forum
Find Help
And Advice
Simple RFP
Get Equipment
Quotes
Virtual Trade Show
Find Service
For Equipment
Access and use of this site is subject to the terms and conditions of our LEGAL NOTICE & PRIVACY NOTICE
Property of and Proprietary to DOTmed.com, Inc. Copyright ©2001-2018 DOTmed.com, Inc.
ALL RIGHTS RESERVED