Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

A total of eight security issues were identified. Although they feature severity ratings of medium and low, even low-skilled hackers could exploit them, the Cybersecurity and Infrastructure Security Agency (CISA) warns in a security alert.

“Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data,” CISA says.

The security flaws, which were identified by researchers with ERNW as part of a larger project supervised by Germany’s Federal Office for Information Security (BSI), affect IntelliVue Patient Monitor systems, Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point, which powers remote enablement.

SecurityWeek has learned that the findings of the project, named ManiMed, will be made public in December.

The discovered bugs have been described as improper neutralization of formula elements in a CSV file (CVE-2020-16214), cross-site scripting (CVE-2020-16218), improper authentication (CVE-2020-16222), improper check for certificate revocation (CVE-2020-16228), improper handling of length parameter inconsistency (CVE-2020-16224), improper validation of syntactic correctness of input (CVE-2020-16220), improper input validation (CVE-2020-16216), and exposure of resources to the wrong control sphere (CVE-2020-16212).

Philips has issued an advisory regarding these vulnerabilities, confirming that a low skill level is required for exploitation. The company also explains that an attacker looking to exploit the flaws requires either “physical access to surveillance stations and patient monitors or access to the medical device network.”

“There are no known public exploits available for these issues. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue,” the company notes.

Philips is currently working on new releases to fix the issues: PIC iX will be updated by end of 2020, IntelliVue versions N.00 and N.01 in Q1 of 2021, PerformanceBridge Focal Point by Q2 of 2021, and IntelliVue version M.04 by end of 2021. A certificate revocation mechanism will be implemented in 2023.

Philips also recommends implementing mitigation steps: physically isolating the Philips patient monitoring network from the hospital local area network (LAN) and using the appropriate security measures to restrict access to the patient monitoring network; ensuring that the simple certificate enrollment protocol (SCEP) service is running only when needed to enroll new devices; and using a unique, long challenge password when enrolling new devices using SCEP.

Furthermore, unauthorized login attempts to the PIC iX application should be prevented through physical security controls (servers should be kept in locked data centers), remote access to PIC iX servers should be granted on a must-have basis only; and login access to the bedside monitor and PIC iX application should only be granted on a role-based, least-privilege basis, to trusted users only.

Related: DHS Warns of Critical Flaws in Medtronic Medical Devices

Related: Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks

Related: NIST’s New Advice on Medical IoT Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet