Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

A total of eight security issues were identified. Although they feature severity ratings of medium and low, even low-skilled hackers could exploit them, the Cybersecurity and Infrastructure Security Agency (CISA) warns in a security alert.

“Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data,” CISA says.

The security flaws, which were identified by researchers with ERNW as part of a larger project supervised by Germany’s Federal Office for Information Security (BSI), affect IntelliVue Patient Monitor systems, Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point, which powers remote enablement.

SecurityWeek has learned that the findings of the project, named ManiMed, will be made public in December.

The discovered bugs have been described as improper neutralization of formula elements in a CSV file (CVE-2020-16214), cross-site scripting (CVE-2020-16218), improper authentication (CVE-2020-16222), improper check for certificate revocation (CVE-2020-16228), improper handling of length parameter inconsistency (CVE-2020-16224), improper validation of syntactic correctness of input (CVE-2020-16220), improper input validation (CVE-2020-16216), and exposure of resources to the wrong control sphere (CVE-2020-16212).

Philips has issued an advisory regarding these vulnerabilities, confirming that a low skill level is required for exploitation. The company also explains that an attacker looking to exploit the flaws requires either “physical access to surveillance stations and patient monitors or access to the medical device network.”

“There are no known public exploits available for these issues. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue,” the company notes.

Advertisement. Scroll to continue reading.

Philips is currently working on new releases to fix the issues: PIC iX will be updated by end of 2020, IntelliVue versions N.00 and N.01 in Q1 of 2021, PerformanceBridge Focal Point by Q2 of 2021, and IntelliVue version M.04 by end of 2021. A certificate revocation mechanism will be implemented in 2023.

Philips also recommends implementing mitigation steps: physically isolating the Philips patient monitoring network from the hospital local area network (LAN) and using the appropriate security measures to restrict access to the patient monitoring network; ensuring that the simple certificate enrollment protocol (SCEP) service is running only when needed to enroll new devices; and using a unique, long challenge password when enrolling new devices using SCEP.

Furthermore, unauthorized login attempts to the PIC iX application should be prevented through physical security controls (servers should be kept in locked data centers), remote access to PIC iX servers should be granted on a must-have basis only; and login access to the bedside monitor and PIC iX application should only be granted on a role-based, least-privilege basis, to trusted users only.

Related: DHS Warns of Critical Flaws in Medtronic Medical Devices

Related: Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks

Related: NIST’s New Advice on Medical IoT Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.