Philips issued two alerts on newly disclosed vulnerabilities in its IntelliBridge hub, Patient Information Center iX (PIC iX), and Efficia CM Series, as part of its voluntary Coordinated Vulnerability Disclosure program that proactively provides insights into known or possible vulnerabilities.
PIC iX and Efficia are patient monitoring devices, and the IntelliBridge hub is a medical device interfacing “plug-and-play solution that integrates data from point-of-care devices with hospital information systems or Philips IntelliSpace.”
The vendor also issued an update on a previously disclosed security flaw in its PerformanceBridge Focal Point, where the expected mitigation date was pushed back from Q3 2021 to Q4 2021.
The newly disclosed vulnerabilities have been reported to the Cybersecurity Infrastructure and Security Agency (CISA), which issued a separate advisory.
Philips identified two vulnerabilities in versions EC40, EC80, and earlier versions of its IntelliBridge hub, both ranked 8.1 in severity. The impacted systems use hard-coded credentials, such as a hardcoded key, for inbound authentication, outbound communication to external components, and encryption to internal data.
The IntelliBridge hub also holds an authentication bypass that uses an alternative path or channel. While the standard access path requires authentication, the platform also allows the use of an alternate channel that doesn’t require user authentication.
The analysis shows these vulnerabilities would take a low skill level to exploit. If successful, an attack could gain access to the impacted platforms to execute software, modify device configurations, or access and update files, including unidentifiable patient data.
“The vulnerabilities can potentially be exploited over the Philips patient monitoring network, which is required to be physically or logically isolated from the hospital local area network,” a Philips’ spokesperson told SC Media in an emailed statement.
“It’s unlikely that this potential vulnerability would impact clinical use, as the Philips IntelliBridge EC40/80 hub is not intended for use in connection with active patient monitoring,” they added.
Fortunately, Philips hasn’t received any reports that these flaws have been exploited, or of any incidents tied to these flaws in the clinical setting. A software release able to mitigate the flaws is expected within Q4 2021.
CISA also alerted to three newly disclosed vulnerabilities in the Philips PIC iX and Efficia CM series platforms, ranked at medium-severity but exploitable from an adjacent network with low attack complexity.
Specifically, PIC iX versions C.02 and C.03 don't validate or improperly validate the properties of inputted data, required to safely and accurately process data. The platform also uses hard-coded cryptographic keys that “significantly increases the possibility encrypted data may be recovered.”
Lastly, all of the aforementioned platforms use “broken or risky cryptographic algorithms.” CISA noted that the use introduces unnecessary risk that could result in the exposure of sensitive data and impact the communications of the impacted platforms.
“Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and denial of service resulting in temporary interruption of viewing of physiological data at the central station,” according to the Philips’ alert. “Exploitation does not enable modification or change to point of care devices.”
On a positive note, the vulnerability is not exploitable remotely or without a high skill level, nor has Philips received any reports the flaws have been exploited. There are also no known public exploits that specifically target the vulnerability.
Remediation for the PIC iX vulnerability has been released by Philips and will be included in future releases. The remaining issues are scheduled for remediation by the end of Q4 2022.
As a result, Philips is urging healthcare users to operate the platforms within authorized specifications and to apply recommended mitigation measures for the vulnerabilities that don’t yet have a patch.
Those recommendations include ensuring the Bitlocker Drive Encryption has not been disabled to protect the data stored on the system, which is shipped to customers enabled by default.
“By default, patient information is not included in archives,” according to the alert. “When exporting archives that contain patient information, customers should securely [store data] with strong access controls.”
“The Philips patient monitoring network is required to be physically or logically isolated from the hospital LAN,” it added. “Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.”
As with all vulnerability disclosures, CISA reminded organizations to execute impact analysis and risk assessments before deploying defensive measures. CISA also reminded organizations to minimize network exposure for all devices and systems, ensuring they’re not accessible from the internet.
