Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.
A total of eight security issues were identified. Although they feature severity ratings of medium and low, even low-skilled hackers could exploit them, the Cybersecurity and Infrastructure Security Agency (CISA) warns in a security alert.
“Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data,” CISA says.
The security flaws, which were identified by researchers with ERNW as part of a larger project supervised by Germany’s Federal Office for Information Security (BSI), affect IntelliVue Patient Monitor systems, Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point, which powers remote enablement.
SecurityWeek has learned that the findings of the project, named ManiMed, will be made public in December.
The discovered bugs have been described as improper neutralization of formula elements in a CSV file (CVE-2020-16214), cross-site scripting (CVE-2020-16218), improper authentication (CVE-2020-16222), improper check for certificate revocation (CVE-2020-16228), improper handling of length parameter inconsistency (CVE-2020-16224), improper validation of syntactic correctness of input (CVE-2020-16220), improper input validation (CVE-2020-16216), and exposure of resources to the wrong control sphere (CVE-2020-16212).
Philips has issued an advisory regarding these vulnerabilities, confirming that a low skill level is required for exploitation. The company also explains that an attacker looking to exploit the flaws requires either “physical access to surveillance stations and patient monitors or access to the medical device network.”
“There are no known public exploits available for these issues. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue,” the company notes.
Philips is currently working on new releases to fix the issues: PIC iX will be updated by end of 2020, IntelliVue versions N.00 and N.01 in Q1 of 2021, PerformanceBridge Focal Point by Q2 of 2021, and IntelliVue version M.04 by end of 2021. A certificate revocation mechanism will be implemented in 2023.
Philips also recommends implementing mitigation steps: physically isolating the Philips patient monitoring network from the hospital local area network (LAN) and using the appropriate security measures to restrict access to the patient monitoring network; ensuring that the simple certificate enrollment protocol (SCEP) service is running only when needed to enroll new devices; and using a unique, long challenge password when enrolling new devices using SCEP.
Furthermore, unauthorized login attempts to the PIC iX application should be prevented through physical security controls (servers should be kept in locked data centers), remote access to PIC iX servers should be granted on a must-have basis only; and login access to the bedside monitor and PIC iX application should only be granted on a role-based, least-privilege basis, to trusted users only.