Network Security, Patch/Configuration Management, Vulnerability Management

Flaws in web-based radiological solution could allow attackers to see right through database

A web-based reporting tool that tracks radiation doses delivered by X-ray machines and related devices contains security vulnerabilities that could impact patient confidentiality, system integrity, or system availability, Dutch tech company Philips has acknowledged.

In an Aug. 17 online vulnerability disclosure, Philips noted that the back-end system for its Philips DoseWise Portal (DWP) uses hard-coded database login credentials, and stores these credentials in clear text. "Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem," the notification reads.

Attackers with elevated privileges who are able to access the back-end system files can exploit these flaws to infiltrate the database, which contains sensitive patient health information. Philips plans to issue a product update this month to alleviate this problem, but in the meantime users are advised to block Port 1433, except where a separate SQL server is used.

The ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) also issued its own advisory about these vulnerabilities.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.