Publication Date: August 17, 2017
Update Date: August 17, 2017
Philips has confirmed the findings of a customer submitted complaint and vulnerability report that the Philips DoseWise Portal (DWP) application (version 126.96.36.1993 and 188.8.131.5269) contains security vulnerabilities of hard-coded database credentials stored in clear text (unencrypted) within backend system files behind current production security defenses.
Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.
For an attacker to use or exploit these vulnerabilities to access the underlying DWP database, elevated privileges are first required in order for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI). Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability.
The Philips DoseWise Portal (DWP) is a radiation dose management solution which simplifies the collection, analysis and interpretation of patient radiation dose metrics and acquisition parameters across x-ray medical imaging devices. DoseWise Portal captures, tracks, alerts and reports on patient radiation dose to support users to perform statistical analysis of imaging equipment radiation output. This to provide quantitative trends and statistics that users may use as input in planning and tracking dose management improvement activities. DWP is a standalone Class A software in accordance with IEC 62304, classified as a low-safety-risk medical device.
Philips is scheduled to release a new product version and supporting product documentation in August 2017.
- Ensure network security best practices are implemented and
- Block Port 1433, except where a separate SQL server is used.
Philips has notified all customers of the identified vulnerabilities and will coordinate with customers to schedule updates. Philips encourages users to only use Philips-validated and authorized changes for the DoseWise Portal system supported by Philips’ authorized personnel or under Philips’ explicit published directions for product patches, updates, or releases.
Customers with questions regarding their specific DoseWise Portal installations should contact their local Philips service support team or their regional service support.
Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.
Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.