Philips, CISA Warn of Medical Device Product Security FlawsExploitation Could Allow Access to Patient Data, Denial of Service Attacks
Federal regulators and Philips this week issued advisories pertaining to several security vulnerabilities identified in certain patient monitoring and medical device interface products from the manufacturer.
Exploitation could allow attackers to access patient data, launch denial of service attacks and more, they warn.
The advisories pertain to vulnerabilities in Philips' Patient Information Center iX (PIC iX) and Efficia CM Series patient monitoring software and the company's IntelliBridge EC40 and EC80 systems - C.00.04 and prior versions, which are interfacing products to transfer data from point-of-care medical devices to hospitals' other information systems.
Security researchers at Nozomi Networks identified and reported all of the vulnerabilities to the Cybersecurity and Infrastructure Security Agency, the advisories note. The products are used worldwide, CISA says.
Philips Patient Information Center Flaws
In its alert about the Philips Patient Information Center iX (PIC iX) and Efficia CM Series, CISA notes that the vulnerabilities are exploitable from an adjacent network with low attack complexity.
The vulnerabilities include improper input validation, use of hard-coded cryptographic key and use of a broken or risky cryptographic algorithm, and CISA says they were given scores ranging from a CVSS v3 base score of 5.9 to a CVSS v3 base score of 6.5.
"Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data, including patient data, and create a denial of service resulting in temporary interruption of viewing physiological data at the central station," CISA notes.
Exploitation does not enable modification or change to point-of-care devices, CISA says.
Philips in its alert says that to date, it has not received any reports of exploitation of these issues or of incidents from clinical use that the company has been able to associate with the vulnerabilities. Also, there are no known public exploits that specifically target these vulnerabilities, Philips adds.
Philips says it released a remediation for PIC iX C.03.06's improper input validation issue in the third quarter of 2021. The company plans to issue remediation for the remaining vulnerabilities by end of the fourth quarter of 2022, it says.
In the meantime, Philips recommends that customers of the affected products follow actions outlined in the company's Patient Monitoring System Security for Clinical Networks guide. That includes following NIST SP 800-88 guidelines for media sanitization prior to system disposal and using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.
Philips IntelliBridge EC40 and EC80 Hub Issues
In its advisory about the Philips IntelliBridge EC40 and EC80, CISA says the low attack complexity vulnerabilities include use of hard-coded credentials and authentication bypass using an alternate path or channel.
CISA says both vulnerabilities are calculated with a CVSS v3 base score of 8.1.
"Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to the IntelliBridge EC40 and 80 Hub," CISA says.
"This could allow an attacker to execute software, modify system configurations, or view/update files, including unidentifiable patient data."
Philips says that to date, it has not received any reports of exploitation of the vulnerabilities or of incidents from clinical use that it has been able to associate with the issues.
"It is unlikely that this potential vulnerability would impact clinical use, as the Philips IntelliBridge EC40/80 hub is not intended for use in connection with active patient monitoring," Philips notes.
Philips plans to release software updates in the fourth quarter of 2021 and has controlling mitigations on the affected software to limit the risk and exploitability of this potential vulnerability, the company's advisory notes.
In the interim, Philips recommends mitigation steps such as operating the products within Philips' authorized specifications, including Philips approved software, software configuration, system services and security configuration.
Also, customers' medical device networks should be logically or physically isolated from the hospital network, as specified in the Philips Patient Monitoring System Security for Clinical Networks guide, the company advises.
The manufacturer also notes that there is no clinical requirement for these devices to communicate outside of the Philips clinical network.
Some of the vulnerabilities identified in the Philips products - especially the hard-coded passwords - are common issues in many medical devices, as well as IoT devices, says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
While each of the vulnerabilities identified is problematic, "hard-coded passwords are as low-hanging fruit as it gets," he says.
In medical devices, such flaws do not require a high level of sophistication to potentially have access to sensitive information or potentially cause harm to someone, especially if the device in question is something such as a medication infusion pump, he notes.
When it comes to hard-coded authentication and similar issues, "It boils down to how the system is designed," Denkers says.
"What you typically see is that if a manufacturer has already implemented poor practices, like 'hard-coded' mechanisms, it can be difficult and costly to redesign the solution for a more secure alternative."
The 'Wild West'
Overall, medical device vulnerabilities, such as those identified in the Philips products, pose considerable concerns for hospitals and patients, some experts note.
"It’s still the Wild West out there with crypto miners and botnets that can use hosts to launch attacks, leveraging authenticated IPs and ports worm-holing into other systems, possibly hiding malware in files, and bypassing firewalls," says Michael Holt, president and CEO of healthcare security vendor Virta Labs.
"Like the Colonial Pipeline ransomware attack, a distributed denial-of-service across medical workstations could bring down one or more hospitals' patient monitoring through third-party vendor systems," Holt says.
Many medical devices have default passwords "and are unlikely to have evolving unique authentication tokens to build machines with known safe failure modes," he adds.
Healthcare entities must take steps to become more proactive in tracking potential vulnerabilities in the medical devices they use in their organizations, according to Denkers.
"Understanding the asset and threat landscape of your organization is critical," he says.
"Having a medical device security program in place will help organizations understand their exposure when issues like these arise. Having this level of visibility will provide an organization the ability to quickly respond and remediate as needed."