Over 20 Total Lots Up For Auction at One Location - TX Cleansweep 06/25

Philips PACS may have security vulnerabilities: Homeland Security

by Thomas Dworetzky, Contributing Reporter | April 09, 2018
Health IT
The software vulnerabilities in health care equipment keep coming.

Now the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory concerning Philips iSite and IntelliSpace PACS medical imaging archiving communications systems and the Alice 6 polysomnography system.

The hacking weaknesses are “predominantly in third-party components,” ICS-CERT stated in its March 29 advisory, adding that “Philips is providing users a number of potential options to remediate these identified vulnerabilities.

The flaws in the systems could let a hacker “compromise patient confidentiality, system integrity, and/or system availability,” said the agency. In addition, they could be exploited remotely by someone with a “low skill level.”

The vulnerabilities would let hackers execute code, change the control flow of the system, get hold of sensitive data and even crash the system.

Philips has responded that it is addressing the IntelliSpace issues, but at present, it “has received no reports of patient harm." Nor has its analysis revealed an issue that would “impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.”

For the Alice 6 System, the company has “identified hard-coded credentials and clear text storage and transmission of patient personal health information vulnerabilities,” it stated, adding that it has “updated product documentation and will release a new version that mitigates these vulnerabilities.”

To address these new issues at present, Philips recommended three no-charge options that users could select, including:

Simplest: enroll in the Philips recurring patching program, which will remediate 86 percent of all known vulnerabilities.

More robust: enroll in the company's patching program and update system firmware. This ups the remediation rate to 87 percent of all known vulnerabilities including all known critical vulnerabilities.

Maximum protection: The first two options, plus an update of upgrading to IntelliSpace PACS 4.4.55x with Windows operating system 2012, which addresses product hardening. This raises remediation rates to 99.9 percent of all the known vulnerabilities, including all critical vulnerabilities.

Vulnerabilities to hacking are an ongoing challenge to the health care industry. Also, in March, for example, some GE imaging systems were found by Homeland Security to be open to exploitation.

You Must Be Logged In To Post A Comment