Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

A total of eight security issues were identified. Although they feature severity ratings of medium and low, even low-skilled hackers could exploit them, the Cybersecurity and Infrastructure Security Agency (CISA) warns in a security alert.

“Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data,” CISA says.

The security flaws, which were identified by researchers with ERNW as part of a larger project supervised by Germany’s Federal Office for Information Security (BSI), affect IntelliVue Patient Monitor systems, Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point, which powers remote enablement.

SecurityWeek has learned that the findings of the project, named ManiMed, will be made public in December.

The discovered bugs have been described as improper neutralization of formula elements in a CSV file (CVE-2020-16214), cross-site scripting (CVE-2020-16218), improper authentication (CVE-2020-16222), improper check for certificate revocation (CVE-2020-16228), improper handling of length parameter inconsistency (CVE-2020-16224), improper validation of syntactic correctness of input (CVE-2020-16220), improper input validation (CVE-2020-16216), and exposure of resources to the wrong control sphere (CVE-2020-16212).

Philips has issued an advisory regarding these vulnerabilities, confirming that a low skill level is required for exploitation. The company also explains that an attacker looking to exploit the flaws requires either “physical access to surveillance stations and patient monitors or access to the medical device network.”

“There are no known public exploits available for these issues. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue,” the company notes.

Philips is currently working on new releases to fix the issues: PIC iX will be updated by end of 2020, IntelliVue versions N.00 and N.01 in Q1 of 2021, PerformanceBridge Focal Point by Q2 of 2021, and IntelliVue version M.04 by end of 2021. A certificate revocation mechanism will be implemented in 2023.

Philips also recommends implementing mitigation steps: physically isolating the Philips patient monitoring network from the hospital local area network (LAN) and using the appropriate security measures to restrict access to the patient monitoring network; ensuring that the simple certificate enrollment protocol (SCEP) service is running only when needed to enroll new devices; and using a unique, long challenge password when enrolling new devices using SCEP.

Furthermore, unauthorized login attempts to the PIC iX application should be prevented through physical security controls (servers should be kept in locked data centers), remote access to PIC iX servers should be granted on a must-have basis only; and login access to the bedside monitor and PIC iX application should only be granted on a role-based, least-privilege basis, to trusted users only.

Related: DHS Warns of Critical Flaws in Medtronic Medical Devices

Related: Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks

Related: NIST’s New Advice on Medical IoT Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.