The Philips DoseWise Portal's back-end system uses hard-coded database login credentials, and stores these credentials in clear text.
The Philips DoseWise Portal's back-end system uses hard-coded database login credentials, and stores these credentials in clear text.

A web-based reporting tool that tracks radiation doses delivered by X-ray machines and related devices contains security vulnerabilities that could impact patient confidentiality, system integrity, or system availability, Dutch tech company Philips has acknowledged.

In an Aug. 17 online vulnerability disclosure, Philips noted that the back-end system for its Philips DoseWise Portal (DWP) uses hard-coded database login credentials, and stores these credentials in clear text. "Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem," the notification reads.

Attackers with elevated privileges who are able to access the back-end system files can exploit these flaws to infiltrate the database, which contains sensitive patient health information. Philips plans to issue a product update this month to alleviate this problem, but in the meantime users are advised to block Port 1433, except where a separate SQL server is used.

The ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) also issued its own advisory about these vulnerabilities.