Customer Support

masthead banner image

Committed to proactively addressing the security concerns of our customers

To guide our efforts, we have created a global policy to address the evolving nature of security in medical technology, including product feature requirements, security threat assessment and tracking, and compliance with local government standards.

Security Advisories

Microsoft Zerologon CVE-2020-1472 Advisory (29 September 2020)

Publication Date: 14 September, 2020 

Update Date: 29 September, 2020 

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning escalation of privilege vulnerability (CVE-2020-1472) in Microsoft’s Netlogon. As reported by Microsoft, an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, to exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

Philips Clinical Collaboration Platform, offically registered as Vue PACS (17 September 2020)

Publication Date: September 17, 2020

Update Date: September 17, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS).

 

Philips confirmed 5 vulnerabilities in a range of low- to medium-severity (CVSS 3.4-6.8) associated with the Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS), affecting versions 12.2.1 and prior. These include potential exploits relating to input and data validation verification, resource allocation limitation, and access configuration, among others.

 

This potential issue requires a high skill level to exploit, and there are currently no known public exploits available. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Successful exploitation of these issues could allow an attacker to lead a user into executing potentially unauthorized actions or provides the attacker with identifying information that could be used for subsequent attacks.
 

Philips released a patch in June 2020, for Clinical Collaboration Platform Portal (officially registered as Vue PACS) version 12.2.1.5 to correct some of these issues, and a new release of the product was released in May 2020. One issue requires manual intervention and affected customers are advised to contact Philips support.

 

Users with questions regarding their specific Philips Clinical Collaboration Platform installation and new release eligibility should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location: 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions  or call 1-877-328-2808 option 4.   

 

Publication on CISA website: https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01

Philips Patient Monitoring (10 September 2020)

Publication Date: September 10, 2020

Update Date: September 10, 2020
 

Philips is a committed leader in medical device cybersecurity. Guided by our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  


In accordance with Philips’ Coordinated Vulnerability Disclosure Policy covering the disclosure and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding certain types and versions of the Philips IntelliVue Patient Monitor system, the Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point.
 

Philips has become aware of potential low-to-moderate-severity vulnerabilities in affected products. These potential issues require a low skill level to exploit. To successfully exploit these vulnerabilities an attacker would need to gain either (1) physical access to surveillance stations and patient monitors or (2) access to the medical device network. These vulnerabilities, if exploited, could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data.


There are no known public exploits available for these issues. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.


Philips plans to release a series of updates for affected products beginning in 2020. Philips has reported the potential issues and their mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.


Users with questions regarding their specific Philips IntelliVue monitor, PIC iX and PerformanceBridge Focal Point installations should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions     

 


ADDENDUM: Affected Product List
 

  • Patient Information Center iX (PICiX) version B.02, C.02, C.03
  • PerformanceBridge Focal Point version A.01
  • IntelliVue patient monitors MX100, MX400-MX850 and MP2-MP90 version N and prior
  • IntelliVue X3 and X2 version N and prior

 

Cybersecurity & Infrastructure Security Agency (CISA) advisory: https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

Philips SureSigns VS4 patient monitoring system (20 August 2020)

Publication Date: August 20, 2020

Update Date: August 20, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities. 

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips SureSigns VS4 patient monitoring system.

 

Philips has become aware of low- to medium-severity vulnerabilities (CVSS scores 2.1, 4.9 and 6.3) regarding improper input validation, inadequate encryption strength, and improper access control, associated with the Philips SureSigns VS4 system, affecting versions A.07.107 and prior.

 

There are currently no known public exploits available for the reported vulnerabilities. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue

 

Successful exploitation may allow an unauthorized user access to administrative controls and system configurations which could allow changes to system configuration items, causing patient data to be sent to a remote destination. This potential vulnerability does not impact patient safety.

 

To mitigate these potential vulnerabilities, Philips recommends that customers change all system passwords on their devices with unique passwords for each device, and to physically secure the device when not in use. Customers are also advised to consider replacing the Philips SureSigns VS4 devices with a newer technology.

 

Users with questions regarding their specific Philips SureSigns VS4 installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

Cybersecurity & Infrastructure Security Agency (CISA) advisory:
Philips DreamMapper (30 July 2020)

Publication Date: July 30, 2020

Update Date: July 30, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips DreamMapper software.

 

Philips has become aware of a potential medium-severity vulnerability regarding access to log file information associated with the Philips DreamMapper software, affecting only Versions 2.24.x and prior.

 

This potential issue requires a low skill level to exploit. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Successful exploitation may allow an unauthorized user attacker access to the log file information containing descriptive error messages. This potential vulnerability does not impact patient safety. The Philips DreamMapper software is a personalized therapy adherence tool for sleep apnea patients, and is not a clinical application – it does not directly provide therapy or diagnosis to patients.

 

Philips plans a new release for DreamMapper by June 30, 2021 that remediates the security vulnerability identified. Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips DreamMapper installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:  https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

https://us-cert.cisa.gov/ics/advisories/icsma-20-212-01    

Boothole GRUB2 Advisory (29 July 2020)

Publication Date: July 29, 2020

Update Date: August 19, 2020

 

Philips is aware of and currently monitoring a third-party vulnerability that impacts GRUB2 bootloader, a component that controls which operating system is booted on a system. This third-party vulnerability was recently discovered by a security vendor and is not specific to Philips or our products.
 

The identified third-party vulnerability, designated CVE-2020-10713, also referred to as “Boot Hole,” is a buffer overflow vulnerability that exists in the way GRUB2 parses the grub.cfg configuration file. This vulnerability impacts all versions of GRUB and systems using Secure Boot with the standard Microsoft UEFI Certificate Authority. If successfully exploited, an unauthorized user could potentially bypass the Secure Boot signature verification and execute arbitrary code during the boot process. To exploit this vulnerability, a threat actor would need physical access to the system and user privileges to execute this attack.


Following analysis by Philips, the company has determined that no Philips products contain the GRUB2 bootloader component, and are therefore not affected by this third-party vulnerability.

Microsoft SIGRED RCE DNS advisory (15 July 2020)

Publication Date: July 15, 2020 

Update Date: July 31, 2020

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported remote code execution (RCE) vulnerability (CVE-2020-1350) in Windows DNS Server. As reported by Microsoft, a remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. Windows servers that are configured as DNS servers are at risk from this vulnerability.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released a patch to help remediate this vulnerability. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, an attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account which could allow an attacker to take control of an affected system.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update A: July 28, 2020

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1

         Ultrasound CX version 5.0.3, release expected Q4 2020

         Ultrasound Sparq version 3.0.3, release expectedQ4 2020


Clinical Collaboration Platform (formally VuePACS) ***
IntelliSpace PACS 4.4, 4.4.55x ***
PIC iX B.0x and C.0x Physiological Server only when DNS enabled *****

Intellibridge Enterprise (IBE)

versions B.06-.12 *,**

UDM 2.1 and 1.1

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business validated and deploying the patch to the managed infrastructure

****Patch is tested and can be installed via the windows update mechanism

*****Mitigation tested and applicable, see steps below:

 

The PIC iX Physiological Server may be configured as a DNS server as outlined in the Service and Installation Guide, however the DNS Server Role is not required for PIC iX and is not installed by default. Only those installations where the Physiological Sever is configured as the DNS server would be at risk to the RCE vulnerability. The Philips Medical Device network is required to be physically isolated or logically isolated from the Hospital LAN. We suggest that network firewalls and access control lists be reviewed to ensure limited access to DNS.

 

 

Philips has evaluated the Windows registry modification workaround provided by Microsoft. Philips has determined that the workaround will have no negative impact to the PIC iX system and the registry modification can be applied to the PIC iX Server configured as a DNS server. Philips strongly recommends removing the registry workaround after applying the security patch as instructed by Microsoft.

 

 

For more information on the mitigation please see link below:

 

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

 

Note: Please be aware that the "0x" prefix notation for hexadecimal value "FF00" (Decimal value 65280) represented in the Microsoft KB article should be excluded from data entry as its inclusion may have unintended results due to unpredictable handling of the "x" character.

 

End Update A

F5 Advisory (30 June 2020)

Publication Date: June 30, 2020 

Update Date: September 25, 2020 

 

Philips is currently monitoring developments and updates related to the recent F5 alert concerning the reported remote code execution (RCE) vulnerability (CVE-2020-5902) in undisclosed pages. The technical details as reported by F5, state that this vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete F5 system compromise. The F5 BIG-IP system in appliance mode is also vulnerable. This F5 issue is not exposed on the data plane; only the control plane is affected.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing F5 for potential impacts from these reported vulnerabilities and validating actions. F5 has released a patch to help remediate this vulnerability. Philips is currently in the process of validating the F5 patch and vendor recommended mitigation options. Once the F5 patch has been tested and validated by Philips with the impacted products, the patch will either be installed by Philips or made available for installation by customers, depending on contract details.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

When a product does require security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update B: September 25, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Clinical Collaboration Platform ***

(formally called Vue PACS)

IS PACS (versions 3.6, 4.1, 4.4, 4.4.551, and 4.4.553***
Universal Data Manager (UDM) (versions 1.1, 2.1, and 3.1) ***
VueBeyond

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure
 

End Update B

 

 

Begin Update A: August 28, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Clinical Collaboration Platform ***

(formally called Vue PACS)

IS PACS (versions 3.6, 4.1, 4.4, 4.4.551, and 4.4.553***
Universal Data Manager (UDM) (versions 1.1, 2.1, and 3.1) ***

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

 

End Update A

Philips Ultrasound (24 June 2020)

Publication Date:  June 24, 2020

Update Date: June 24, 2020

 

Philips is a leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding specific versions of Philips ultrasound software applications.

Philips has become aware of a potential low-severity issue (CVSS v3 base score 3.6 – Low) where unauthorized personnel can bypass authentication via an alternate path or channel or via an alternate service login. This potential issue is only associated with Ultrasound ClearVue versions 3.2 and prior, Ultrasound CX versions 5.0.2 and prior, Ultrasound EPIQ and Affiniti versions VM5.0 and prior, Ultrasound Sparq version 3.0.2 and prior, and Ultrasound Xperius.

This potential issue requires local access to an affected system and a high skill level to exploit. If a successful exploitation occurs, the only result is that an unauthorized user may be able to enable and access ultrasound device features that were not included with system purchase. Philips’ analysis indicates that this is not a device safety issue, and there is no expectation of patient hazard. To date, Philips has not received reports of this vulnerability being exploited in clinical use.

 

To address this issue:

  1. Philips released Ultrasound EPIQ and Affiniti version VM6.0 in April 2020, which removed the affected functionality.
  2. Philips plans the following new releases to address this issue in the following software versions:
  • Ultrasound ClearVue version 3.3, release expected Q4 2020
  • Ultrasound CX version 5.0.3, release expected Q4 2020
  • Ultrasound Sparq version 3.0.3, release expectedQ4 2020


As an interim mitigation to this vulnerability, Philips recommends customers ensure service providers can guarantee installed device integrity during all service and repair operations.

 

Philips has reported this potential issue and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

Users with questions regarding their specific Philips ultrasound software installation should contact their local Philips service support team or regional service support. Philips contact information is available at:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions


Please see the Philips product security web site for the latest security information for Philips products:   https://www.philips.com/productsecurity

         Ultrasound ClearVue version 3.3, release expected Q4 2020

         Ultrasound CX version 5.0.3, release expected Q4 2020

         Ultrasound Sparq version 3.0.3, release expectedQ4 2020


Ripple20 Advisory (18 June 2020)

Publication Date: June 18, 2020
Update Date: September 4, 2020

 

Security researchers at JSOF have disclosed 19 different zero-day vulnerabilities within Treck TCP/IP Stack.  The collection of vulnerabilities, which JSOF refers to as "Ripple20", could lead to remote code execution or exposure of sensitive information. Of the 19 flaws, 6 are rated a high severity using the industry standard calculator or common vulnerability scoring system (CVSS) v3. The exposure to these high severity issues greatly depends on the Treck products being used.

 

Philips is currently monitoring developments and updates related to the recent published advisory (ICSA-20-168-01) concerning the reported 19 common vulnerability enumerations (CVE) as referred to as Ripple20. In the advisory, Treck recommends users apply the latest version of Treck (TCP/IP 6.0.1.67 or later).

 

As part of the Philips product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions that may be utilizing Treck TCP/IP for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. Treck has released patches to help remediate these vulnerabilities.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Begin Update A: September 4, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Ripple. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

HeartStart Intrepid Monitor/Defibrillator (867172) **

(not sold in the US)

**Information or patch available in Incenter

 

End Update A

Philips IntelliBridge Enterprise (IBE) system (11 June 2020)

Publication Date: June 11, 2020

Update Date: July 1, 2020
 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
  

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge Enterprise (IBE) system.

 

Philips has become aware of a potential low-severity vulnerability regarding unencrypted user credentials stored in transaction logs associated with the Philips IntelliBridge Enterprise (IBE) software, affecting only Versions B.12 and prior, with the following workflows:

 

    •   Enterprise system integration with:  

            •    SureSigns(VS4)

            •    EarlyVue (VS30)

            •    IntelliVue Guardian (IGS) 

 

This potential issue requires a high skill level to exploit, and to date, Philips has not received reports of exploits of this vulnerability. Successful exploitation may allow an existing administrator and/or high privileged system user access to credentials to the hospital’s clinical information systems. The IntelliBridge Enterprise (IBE) provides HL7 interface interoperability between Philips products and hospital’s clinical information systems or electronic medical records by providing a single integration point to the enterprise. Philips IntelliBridge Enterprise has no clinical user interface, nor does it interpret, inspect, or provide additional analytical functionality for medical device data.

 

Philips plans a new release (IBE B.13) by end of Q4 2020 that remediates the potential issue by not logging the plain text user credentials in the log file. In the interim, Philips recommends that IBE transaction logs be made only accessible with administrative privileges. If necessary, an additional, limited-privilege account can be created on the IBE system for authorized users such as service engineers. Additionally, it is recommended to reduce log retention to a shorter timeframe.

 

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips IntelliBridge Enterprise (IBE) installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-20-163-01

 

Philips Air Purifier AC2719 (24 March 2020)

Publication Date: March 24, 2020

Update Date: March 24, 2020
 

Overview

Philips produces and sells connected air purifier that provide healthy air to consumers. The connected air purifier can be controlled by an app, Philips has partnered with Air Matters, a world-leading air quality app. It monitors in- and outdoor air quality, offers insights, controls your Philips connected Air device, shows its filter status, and gives you advice how to manage exposure to air pollution and allergens. An independent security researcher submitted three vulnerabilities that can be mitigated regarding communications, key length and de-compilation of the mobile app.
 

Affected Products:

Philips reports that these vulnerabilities affect Air Matters Android version 4.2.9 and below.
 

Impact:

An attacker connected to an unprotected WiFi local network could compromise the encryption protocol to start and/or stop the air purifier.

An attacker connected to the WiFi local network can connect to the device. Subsequently the device can remotely be controlled. This impact is similar to downloading the Airmatters App and in a local network connect to the Airpurifier device. Which is standard behavior part of the functionality advertised to the customer.
 

Background

An independent security researcher reported the local network communication between the app and the Air Purifier has been reverse engineered. The three main vulnerabilities identified are 1) No use of https/tls encryption in the local network. 2) Diffie Hellman key length, and 3) de-compilation of Android mobile app. 4) through scripting from the local network a connection with the device can be setup.

These vulnerabilities do not impact confidentiality or integrity of data. The vulnerabilities could potentially impact availability.

Once notified, Philips analyzed the extent and started the containment and resolution actions.

The vulnerabilities are due to the use of a outdate chip version. This chip is not used in the production of new devices anymore. Newer versions of the device use a chip without these vulnerabilities.


Vulnerability Overview

CWE-319: Cleartext Transmission of Information

The software transmits data in cleartext in a communications channel that can be sniffed by unauthorized actors. Many communication channels can be sniffed by attackers during data transmission.

CVSS v3 base scores for this vulnerability is rated as 5.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-327: INSUFFICIENT DIFFIE HELLMAN STRENGTH

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of information.

CVSS v3 base scores for this vulnerability is rated as 4.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Through Scripting in the local network a connection with the device can be setup. Subsequently this connection can be used to control the device remote.
 

Existence of Exploit

Public exploits exist for some of these vulnerabilities, however, none are specifically targeted for Philips Air Purifier.
 

Difficulty

An attacker with medium to high skill in would be able to exploit these vulnerabilities
  

Mitigation

For the old infrastructure of Philips Air Purifiers products:

  • Philips has recommended customers of this current infrastructure to always utilize secure wireless connection by enabling the WiFi Protected Access (WPA2) for IEEE 802.11 technology
  • Only let persons that are trusted into the local network.
  • There will be no update for the old infrastructure.

The improved infrastructure of new launched Air Purifiers will not have these issues anymore as they have been solved. The new products have been introduced from mid 2019 onwards.

Philips recommends consumers to use the new devices with the new infrastructure.
 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Underwriters Laboratories (UL) Product Cybersecurity Testing Certification (12 March 2020)

Publication Date: March 12, 2020
Update Date:  Feb March 12, 2020

 

Royal Philips (NYSE: PHG, AEX: PHIA), a global leader in health technology, today announced that the company was named the first medical device manufacturer to receive a new Underwriters Laboratories (UL) product cybersecurity testing certification. Underwriters Laboratories (UL) is an independent global safety certification and testing company with locations worldwide.

 

The UL IEC 62304 certification was designed by Underwriters Laboratories to provide an overall framework to evaluate the robustness and maturity of a medical device manufacturer’s cybersecurity controls and capabilities for product development. 

 

In support of the successful Philips firm registration for the security option of IEC 62304, UL performed a comprehensive audit of the Philips Security Center of Excellence. The Center was launched in 2015 to develop cyber-resilient products and services through security-by-design, risk assessment, vulnerability and penetration assessment, specialized trainings, and incident response.

 

The audit reviewed and verified core Philips Security Center of Excellence product security processes, including security risk management and risk control measures, software security verification planning, change management and continuous improvement, and the Center’s laboratory quality management system. 

 

The UL certification combines cybersecurity testing elements of the established UL 2900-2-1 standard for Software Cybersecurity for Network-Connectable Products, which focuses on the demanding requirements of healthcare and wellness systems, as well as security principles from international standards (ISO 13485 and ISO 14971).
 

The detailed press release can be found: http://www.newscenter.philips.com/us_en

Sweyn Tooth Bluetooth Low Energy Advisory (20 February 2020)

Publication Date: February 20, 2020 

Update Date: April 20, 2020

 

Philips is currently monitoring developments and updates related to the recent Bluetooth Low Energy (BLE) alert concerning the reported SweynTooth, a family of 12 vulnerabilities (CVE-2019-16336, CVE-2019-17519, CVE-2019-17517, CVE-2019-17518, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196, CVE-2019-17061, CVE-2019-17060, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194 ).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Bluetooth Low Energy (BLE) for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

According to Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Seminconductor, successful exploitation of these vulnerabilities allows an attacker in radio range to trigger deadlocks, crashes, and buffer overflows or completely bypass security depending on the circumstances.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update A: April 20, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to SweynTooth. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Diamond Clean Smart connected power toothbrush (codes start with HX99)
Flexcare Platinum Connected power toothbrush (codes start with HX91)
Saeco Gran Baristo Avanti – Espresso Machine Models
Diamond Clean 9000 connected power toothbrush (codes start with HX99)
Philips Connected Shaver 7000 (S77xx & S79xx)
Expert Clean power connected toothbrush (HX96)
Sonicare - Kids connected power toothbrush (codes start with HX63)
End Update A
Microsoft CyptoAPI/NSACrypt/Curve Ball Advisory (16 January 2020)

Publication Date: January 16, 2020
Update Date:  February 4, 2020
 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Curve Ball or NSA Crypt or CryptoAPI spoofing vulnerability (CVE-2020-0601).

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
 

Begin Update B: February 4, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR)
Forcare Suite*
IntelliSpace Portal Workstation*
CareEvent*
Holter Recorder DigiTrak XT (CTXT)*
IntelliVue Guardian Software
CompuRecord G.01*
Illumeo 2.0*
IntraSight
Diagnostics Site Server (DSS)
Ingenia (Upgrade to R5 & Factory R5)
MobileDiagnost wDR
DigitalDiagnost C90
Intellibridge Enterprise (IBE)*
Multiva/Prodiva
DoseWise Portal
IntelliSpace Cardiovascular (ISCV)*
PIC iX*
EchoNavigator
IntelliSpace Console Critical Care (ISCCC)
ST80i A.02
eICU eCare Manager
IntelliSphere Critical Care and Anesthesia (ICCA)*,**
VSS Dashboard*
FocalPoint A.0/A.01*
IntelliSpace ECG Management System B.00 (IECG)
Xper IM*

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

End Update B

Begin Update A: January 21, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR)
Corsuim
Diagnostics Site Server (DSS)
DigitalDiagnost C90
EchoNavigator
Holter Recorder DigiTrak XT (CTXT)
Illumeo 2.0
Ingenia (upgrade to R5 and Factory R5)
IntelliSpace Connect
IntelliSpace Discovery 2.0
IntelliSpace ECG Management System B.00 (IECG)
IntelliSpace Portal SErver
IntelliSpace Portal Workstation
MobileDiagnost wDR
Multiva/Prodiva
ST80i A.02
**Information or patch available in Incenter

End Update A

Microsoft Critical Vulnerability Advisory (15 January 2020)

Publication Date: January 15, 2020 

Update Date: April 20, 2010

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Windows RD Gateway and Windows Remote Desktop Client vulnerabilities (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update C: April 20, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR)
Epiq
Multiva
Affiniti
FlexCardio
Multiva/Prodiva
Allura (Centron, Clarity, Xper)
FocalPoint A.0/A.01
PIC iX*
Azurion
Holter Recorder DigiTrak XT (DTXT)*
PIIC Classic
CareEvent*
Illumeo 2.0
Prograde
ClearVue
Ingenia (upgrade to R5 & Factory R5)
ProxiDiagnost N90
CombiDiagnost R90
Intelibridge Enterprise (IBE)*
Sparq
CompuRecord (F.02, G.00, G.01)*
IntelliSpace Breast
SPhAERA (3.x & 4.x)
Core M2
IntelliSpace Cardiovascular (ISCV)*
ST80i A.02*
Coronary Tools
IntelliSpace Console Critical Care (ISCCC)
SyncVision
CX50/30
IntelliSpace Discovery 2.0
UDM
Diagnostics Site Server (DSS)
IntelliSpace ECG Management System B.00 (IECG)*
ViewForum
DigitalDiagnost (C50, C90, Opta C50)
IntelliSpace Perinatal (ISP)*
Volcano Core Imaging System
DoseWise Portal*
IntelliSpace Portal (Server & Workstation)
Volcano Core Mobile Imaging System
DR Compact
IntelliVue Guardian Software*
VSS Dashboard*
DuraDiagnost (Compact and F30)
ISP Anywhere
Xcelera 4.1*
EasyDiagnost
ISP VL Caputre 1.1 Visible Light
XIRIS 8.3
EchoNavigator
Juno DRF (5.7)
Xper IM*
eICU Care Manager
MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U))
XtraVision
EP Navigator
MobileDiagnost (M50, Opta, and wDR)

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

 

End Update C

 

Begin Update B: February 4, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR)
Epiq
Multiva
Affiniti
FlexCardio
Multiva/Prodiva
Allura (Centron, Clarity, Xper)
FocalPoint A.0/A.01
PIC iX*
Azurion
Holter Recorder DigiTrak XT (DTXT)*
PIIC Classic
CareEvent*
Illumeo 2.0
Prograde
ClearVue
Ingenia (upgrade to R5 & Factory R5)
ProxiDiagnost N90
CombiDiagnost R90
Intelibridge Enterprise (IBE)*
Sparq
CompuRecord (F.02, G.00, G.01)*
IntelliSpace Breast
SPhAERA (3.0 to 3.5, 3.6 & greater)
Core M2
IntelliSpace Cardiovascular (ISCV)*
ST80i A.02*
Coronary Tools
IntelliSpace Console Critical Care (ISCCC)
SyncVision
CX50/30
IntelliSpace Discovery 2.0
UDM
Diagnostics Site Server (DSS)
IntelliSpace ECG Management System B.00 (IECG)*
ViewForum
DigitalDiagnost (C50, C90, Opta C50)
IntelliSpace Perinatal (ISP)*
Volcano Core Imaging System
DoseWise Portal*
IntelliSpace Portal (Server & Workstation)
Volcano Core Mobile Imaging System
DR Compact
IntelliVue Guardian Software*
VSS Dashboard*
DuraDiagnost (Compact and F30)
ISP Anywhere
Xcelera 4.1*
EasyDiagnost
ISP VL Caputre 1.1 Visible Light
XIRIS 8.3
EchoNavigator
Juno DRF (5.7)
Xper IM*
eICU Care Manager
MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U))
XtraVision
EP Navigator
MobileDiagnost (M50, Opta, and wDR)

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

End Update B


Begin Update A: January 21, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Access CT (6 & 16 Slice)
Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR)
Brilliance (Big Bore Radiology, CT 64, CT Big Bore, iCT, iCT SP)
CombiDiagnost R90
Corsium
CT MX16 EV02
Diagnostics Site Server (DSS)
DigitalDiagnost (C50, C90, Opta C50)
DR Compact
DuraDiagnost (Compact and F30)
EasyDiagnost
Holter Recorder DigiTrak XT (DTXT)
Ingenia (upgrade to R5 & Factory R5)
Ingenuity (Core, Core 128, Core128/Elite China, CT, CT Brazil, TF PET/CT, TF PET/CT RoHS systems)
IntelliSpace Breast
IntelliSpace Connect Release 1.0
IntelliSpace ECG Management System B.00 (IECG)
IQon Spectral CT
Juno DRF
MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U))
MobileDiagnost (M50, Opta and wDR)
Multiva
Multiva/Prodiva
Prograde
ProxiDiagnost N90
SPhAERA (3.x & 4.x)
ST80i A.02
Vereos

**Information or patch available in Incenter


End Update A

Microsoft Win7 and WinServer2008 R2 End-of-Support (14 January 2020)

Publication Date: January 14, 2020

Update Date: January 14, 2020

 

Philips is aware that Microsoft is ending Extended Support for the Windows 7 and Windows Server 2008 R2 operating systems on January 14, 2020.

 

As part of Philips product lifecycle management processes, product security policy, and associated protocols, and in anticipation of the expiration of Microsoft’s Extended Support period for Windows 7 and Windows Server 2008 R2, Philips has been evaluating Philips products and solutions that utilize these operating systems.

 

Philips is currently working to provide information regarding expiration of Microsoft extended support for Windows 7 and Windows Server 2008 as related to Philips products and solutions together with guidance to attain any further required product-specific information in support of any Philips products or solutions that use these Microsoft operating systems.

 

Philips products and solutions must be deployed and operated within Philips-approved product specifications as noted in their Instructions for Use.  Also, as required by government regulations in the markets we operate in, all changes of configuration or software to Philips’ products or solutions (including operating system security updates and patches) may be implemented only by following Philips product-specific, verified and validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers and service representatives may access product-specific service documentation produced by
Philips product teams and made available to Philips product service support and/or service delivery platforms

such as Philips InCenter (https://incenter.medical.philips.com).  Entitled customers are encouraged to request Philips InCenter access and reference product-specific information when posted.  Customers are also encouraged to contact their local service support team or regional product service support for information specific to their Philips’ products or environments.

 

Philips is providing the list below in order to assist our customers in identifying Philips’ products and solutions running on Microsoft Windows 7 or Windows Server 2008 R2.  However, the list below is not exhaustive for all affected Philips products, and it includes:

 

  • products that have reached Philips end-of-life or end-of-support (****),
  • software-only products that may also be compatible with other OS versions or that may enable customers with options or roadmap plans to upgrade the customer owned OS and/or affected Philips product (*),
  • products with a currently available upgrade path to a fully supported Philips solution,
  • products aligned with 2020 roadmap plans to enable an upgrade path to a fully supported Philips solution,
  • products with other Philips recommended risk mitigation or remediation steps
Access CT 6/16 – 2.x
Brilliance Big Bore / 4.2
Brilliance iCT/4.x, iCT SP/4.x, 64/4.x
CareEvent *
CompuRecord *
Core Imaging S5 3.5, M2 4.2,
Diagnostic Site Server (DSS)
DynaCAD Breast and Prostate
DynaSuite Neuro 3
eCareManager *
eICU *
G3 Alice6 *
HCIS RIS 2010 10.x Clients
HCIS Vue PACS 11.3, Vue PACS 11.4 *
HCIS Vue RIS 11.0.12.x,
HeartStart Configure 3.1 *
HeartStart Data Messenger 4.3.1 *
HeartStart Event Review
3.x, 4.x *,****
HeartStart Event Review Pro 5.0 *
IBE *
IEM v11.0x *
Incisive CT/1.0
Ingenuity CT / 4.x, Core, Core 128
Ingenuity TF/4.0.x
IntelliSpace Critical Care and Anesthesia (ICCA) *
IntelliSpace ECG Management System B.00 (IECG) *
IntelliSpace ECG Management System B.00 (IECG) *
IntelliSpace PACS 4.4
IntelliSpace Perinatal *
IntelliVue Guardian Software *
ISCV 1.x, 2.x, 3.x, 4.x *
ISP Anywhere 1.3
ISP6/7/8
Mobile 3.5
MX 16/2.x
Oncad
PIIC iX, PIIC Classic *
Respironics Actiware *
SensaVue HD and fMRI
Sleepware G3 *
SPhAERA (3.0 to 3.5) ****
ST80i A.02 *
Syncvision 4.2
Tempus ReachBak i2i *
UDM 1.1, 2.1
Vereos/2.0.x
Viewforum for Fixed Systems  V6.3V1L9
Viewforum for Mobile Systems V6.3V1L7, V6.3V1L8
Vue RIS 11.0.14.x
Xcelera 4.1 *
XIRIS 8.3
Xper Flex Cardio
Xper IM 1.5, 2.x *

Information available from Philips InCenter, local service support, or regional product service support.

 

* Software only products with customer owned Operating Systems

**** End of Life (EoL)

 

If customers still have questions, all customers are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products or solutions.

Philips Veradius Unity, Pulsera, and Endura Dual WAN Router (19 December 2019)

Publication Date: December 19, 2019

Update Date: December 19, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

  

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding specific Philips Veradius Unity (718132) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 2016 and August 2018. In addition, Pulsera (718095), and Endura (718075) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 26 June 2017 and 07 August 2018.

 

Philips has become aware that affected routers may have inadequate encryption strength, which may allow an unauthorized user to compromise the router management interface. 

 

Data confidentiality is protected by internal system design preventing exploitation of the Dual WAN router vulnerability. Even if the Dual Wan Router vulnerability is exploited there is no possible access to patient data or interference with usage of the system. Thus, the medical device is safe to use and has no security risk. 

 

Philips has a solution available for customers who have the wireless or ViewForum option in their product to update the configuration of the Dual WAN router. 

 

To contact their local Philips service support team, or regional service support, Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity 

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS CISA, which is issuing an advisory.

Philips IntelliBridge EC40/80 (14 November 2019)

Publication Date:  November 14, 2019

Update Date: December 12, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge EC40 and EC80 Hub.

 

Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data. No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.

 

Philips plans a new release to remediate this issue by the end of Q3 2020. Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips IntelliBridge EC40/EC80 Hub installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-19-318-01

Philips IntelliSpace Perinatal (24 October 2019)

Publication Date:  October 24, 2019

Update Date: October 24, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliSpace Perinatal obstetrics information system.

 

Philips has become aware that for Versions K and prior of the Philips IntelliSpace Perinatal system, a potential vulnerability may allow an unauthorized user access to system resources. This could impact confidentiality and integrity of the system and application. To exploit this issue, an attacker would require physical access to a locked application screen, or a remote desktop session host application.

 

Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue. Philips is providing customers with a detailed update to Philips IntelliSpace Perinatal documentation to provide clear guidance on recommended mitigations for this issue. This documentation is available to customers on Philips InCenter. Philips will be further assessing potential mitigations in the next minor product update, which is planned for the end of 2020.

 

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips IntelliSpace Perinatal installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Philips IntelliVue Wireless Local Area Network (WLAN) module (12 Sept 2019)

Publication Date:  September 12, 2019

Update Date: September 12, 2019

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding Versions A and B of the Philips IntelliVue Wireless Local Area Network (WLAN) module available in specific Philips IntelliVue Patient Monitors.

 

Philips has become aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device’s local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear.

 

At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem, or evidence of patient identifiers compromised.

 

To address this issue, Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. Regarding other versions, WLAN Version A will be addressed via software patch from Philips estimated to be available in Incenter by the end of 2019. The Philips WLAN Version B is obsolete. Wireless network access should be controlled by authentication and authorization (e.g. WPA2), which are supported by Philips. Additional mitigations include implementing a firewall rule on the customer wireless network, and further controls on physical access to the system.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their Philips IntelliVue WLAN Module software are advised by Philips to contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Philips Ultrasound HDI 4000 (29 August 2019)

Publication Date:  August 29, 2019

Update Date: August 29, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips HDI 4000 Ultrasound system. This system was discontinued in 2006, and product support ceased in 2013.

 

Philips has become aware that if the Philips HDI 4000 Ultrasound system is running on outdated, unsupported operating systems, such as Windows 2000, an unauthorized user may be able to access ultrasound images or compromise image integrity.

Philips has not received any reports of exploitation of these vulnerabilities or of incidents from clinical use that we have been able to associate with this problem. This issue does not affect patient safety, system operations, or availability.

 

Philips recommends as mitigation that users implement controls to limit access to the network and consider replacing the system with a newer technology and supported operating system.

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific Philips HDI 4000 Ultrasound system installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Microsoft Remote Desktop Services Remote Execution Vulnerability –DejaBlue (15 August 2019)

Publication Date: August 15, 2019 

Update Date: April 20, 2019

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability named DejaBlue (CVE-2019-1181 and CVE-2019-1182).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update C: April 20, 2020

Affiniti (30,50,70)
IE33
Juno DRF(5.7)
Analytics 1.1
IEM v11.01-v11.04**
MicroDose SI (L50) (9.0 P1,P2,P3)
ClearVue
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U (L50 U)(9.0 P1,P2,P3)
CX50/30
IntelliSpace Cardiovascular (ISCV 1.x - 3.x))*
Sparq
Diagnostic Site Server (DSS)
IntelliSpace PACS 4.4
SPhAERA`(3.6 & up)
Efficia Central - SureSigns Monitor / CMS200(C.01)**
IntelliSpace PACS 4.4.55x
UDM(1.1, 2.1)
Envisor
IntelliSpace Portal Server(7,8,9)**
VISIQ
Epiq (5/7)
IntelliSpace Portal Workstation(7,8,9,10)**
Xcelera 4.1
FocalPoint (A.0/A.01)**
ISP Anywhere(1.3)
XIRIS (8.1, 8.3)
IBE (B.02 - B.09)*,**
ISP VL Caputre 1.1 Visible Light
Xper IM(1.5, 2.x)
IU22

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter
 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
 

End Update C

 

Begin Update B: December 13, 2019

Affiniti (30,50,70)
IE33
Juno DRF(5.7)
Analytics 1.1
IEM v11.01-v11.04**
MicroDose SI (L50) (9.0 P1,P2,P3)
ClearVue
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U (L50 U)(9.0 P1,P2,P3)
CX50/30
IntelliSpace Cardiovascular (ISCV 1.x - 3.x))*
Sparq
DSS
IntelliSpace PACS 4.4
SPhAERA`(3.6 & up)
Efficia Central - SureSigns Monitor / CMS200(C.01)**
IntelliSpace PACS 4.4.55x
UDM(1.1, 2.1)
Envisor
IntelliSpace Portal Server(7,8,9)**
VISIQ
Epiq (5/7)
IntelliSpace Portal Workstation(7,8,9,10)**
Xcelera 4.1
FocalPoint (A.0/A.01)**
ISP Anywhere(1.3)
XIRIS (8.1, 8.3)
IBE (B.02 - B.09)*,**
ISP VL Caputre 1.1 Visible Light
Xper IM(1.5, 2.x)
IDM
IU22

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note: For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update B

Urgent/11 VxWorks and TCP/IP IPnet Advisory (1 August 2019)

   

Publication Date: August 1, 2019
Update Date: December 11, 2019

 

Security researchers at Armis have disclosed 11 different zero-day vulnerabilities within Wind River’s VxWorks, a real-time operating system used in over 2 billion embedded systems that include medical devices, routers, VOIP phones and mission-critical infrastructure equipment.  The collection of vulnerabilities, which Armis refers to as "Urgent/11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, six are deemed critical. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is currently monitoring developments and updates related to the recent published advisory (ICSA-19-211-01) concerning the reported 11 CVEs as referred to as Urgent/11. In the advisory, there are several versions of VxWorks listed as not vulnerable, which Philips has taken into consideration for product evaluation and analysis.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing VxWorks for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. VxWorks has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update E: December 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
HDI 3500 ****
Multiva/Prodiva (R5.4)***
BrightView SPECT(1.x)***
HDI 3000 ****
Smart-hopping Access Point Controller (for MX40 and Telemetry products)**
BrightView X(2.x)***
Ingenia (R4, R5.3, R5.4 and higher)***
Zenition**
BrightView XCT(2.x)***
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
GEOPC (Component of Allura & Azurion) ***
Multiva (R5.3, R5.4)***

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update E

 

Begin Update D: September 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Ingenia (R4, R5.3, R5.4 and higher)***
Multiva (R5.3, R5.4)***
Smart-hopping Access Point Controller (for MX40 and Telemetry products)**
Multiva/Prodiva (R5.4)***
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update D

 

Begin Update C: August 15, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Ingenia (R4, R5.3, R5.4 and higher)***
Multiva (R5.3, R5.4)***
Smart-hopping Access Point Controller (for MX40 and Telemetry products)
Multiva/Prodiva (R5.4)***
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update C

 

Begin Update B: August 8, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

 

Update B supersedes products listed in Update A as they were determined to be running non-vulnerable versions of VxWorks.

GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Smart-hopping Access Point Controller (for MX40 and Telemetry products)
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update B

Begin Update A: August 2, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

<Reference table in Update B>

 

**Information or patch available in Incenter

End Update A

Philips Holter 2010 Plus (11 July 2019)

Publication Date:  July 11, 2019

Update Date:  July 11, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Holter 2010 Plus electrocardiogram (EKG) software.

 

Philips has become aware that under certain specific conditions, an unauthorized user with high skill level may potentially be able to access software options not purchased by the customer. The threat if exploited could lead to the enablement of system options not purchased.  It does not impact patient safety, patient data integrity or confidentiality or system operations.

 

Philips recommends users implement role-based access controls to control physical access to the system. Further controls are provided by the multiple components required to exploit the vulnerability.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific Philips Holter 2010 Plus software installation are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support.   Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions.

Microsoft Remote Desktop Services Remote Execution Vulnerability – BlueKeep (15 May 2019)

Publication Date: May 15, 2019

Update Date: April 20, 2019
 

Begin Update G: April 20, 2020


Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1
IntelliSpace ECG Management System B.00 (IECG)*, **
Oncad
CompuRecord (F.02, G.00, and G.01)*
IntelliSpace PACS (4.4, 4.4.551, 4.4.553)***
PIIC Classic (L, M, N, N.01)**
Diagnostics Site Server (DSS)
IntelliSpace Perinatal Revision (H, J, K)*,**
PIIC iX (A.0, B.0, B.02)**
DynaCAD Breast and Prostate*
IntelliSpace Portal (ISP) Server& Workstation**
SensaVue HD & FMRI
DynaSuite Neuro 3*
IntelliVue Guardian Software*,**
ST80i A.02*,**
Efficia Central - SureSigns Monitor / CMS200
Invivo Esys
UDM (v1.1, 2.1)***
eICU*,**
ISEE**
UroNav (1.x/2.x)
Extended Brilliance Workspace (EBW)**
ISP Anywhere (v1.3)
Xcelera 4.1*
Forcare suite*
ISP VL Caputre 1.1 Visible Light (v1.1)
XIRIS (8.2, 8.3)
Holter Recorder DigiTrak XT (DTXT) *
Juno DRF (5.0-.6, 5.7)**
Xper IM*,**
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
Lung Cancer Screening Solution*
XIRIS (8.2, 8.3)
ICCA (F, G)*,**
MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)**
Xper IM*,**
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)**
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)**
Intellispace Cardiovascular (ISCV)*,****
MR** Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business validated and deployed the patch to the managed infrastructure

****Patch is tested and can be installed via the windows update mechanism
 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
 

End Update G
 

Begin Update F: December 10, 2019
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)**
CompuRecord (F.02, G.00, and G.01)*
Intellispace Cardiovascular (ISCV)*,****
MR**
Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3
Diagnostics Authoring Workspot (DAW)**
IntelliSpace ECG Management System B.00 (IECG)*, **
Oncad
Diagnostics Site Server (DSS)
IntelliSpace PACS (4.4, 4.4.551, 4.4.553)***
PIIC Classic (L, M, N, N.01)**
DynaCAD Breast and Prostate*
IntelliSpace Perinatal Revision (H, J, K)*,**
PIIC iX (A.0, B.0, B.02)**
DynaSuite Neuro 3*
IntelliSpace Portal (ISP) Server& Workstation**
SensaVue HD & FMRI
Efficia Central - SureSigns Monitor / CMS200
IntelliVue Guardian Software*,**
ST80i A.02*,**
eICU*,**
Invivo Esys
UDM (v1.1, 2.1)***
Extended Brilliance Workspace (EBW)**
ISEE**
UroNav (1.x/2.x)
Forcare suite*
ISP Anywhere (v1.3)
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
ISP VL Caputre 1.1 Visible Light (v1.1)
XIRIS (8.2, 8.3)
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
Juno DRF (5.0-.6, 5.7)**
Xper IM*,**
ICCA (F, G)*,**
Lung Cancer Screening Solution*
IDM
MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)**
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)**

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business validated and deployed the patch to the managed infrastructure

****Patch is tested and can be installed via the windows update mechanism

 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update F

 

Begin Update E: September 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)
CompuRecord (F.02, G.00, and G.01)*
Intellispace Cardiovascular (ISCV)*
MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)
Diagnostics Authoring Workspot (DAW)**
IntelliSpace ECG Management System B.00 (IECG)*, **
MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3
Diagnostics Site Server (DSS)
IntelliSpace PACS (4.4, 4.4.551, 4.4.553)
PIIC Classic (L, M, N, N.01)**
Efficia Central - SureSigns Monitor / CMS200
IntelliSpace Perinatal Revision (H, J, K)*,**
PIIC iX (A.0, B.0, B.02)**
eICU*,**
IntelliSpace Portal (ISP) Server& Workstation**
ST80i A.02*,**
Extended Brilliance Workspace (EBW)**
IntelliVue Guardian Software*
UDM (v1.1, 2.1)
Forcare suite*
ISEE
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
ISP Anywhere (v1.3)
XIRIS (8.2, 8.3)
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
ISP VL Caputre 1.1 Visible Light (v1.1)
Xper IM*
ICCA (F, G)**
Juno DRF (5.0-.6, 5.7)
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update E

 

Begin Update D: August 15, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)*
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
IntelliSpace Portal (ISP) Server& Workstation**
Diagnostics Authoring Workspot (DAW)**
ICCA (F, G)**
IntelliVue Guardian Software*
Efficia Central - SureSigns Monitor / CMS200
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3
eICU*,**
IntelliSpace Breast

PIIC Classic (L, M, N, N.01)**

PIIC iX (A.0, B.0, B.02)**

Extended Brilliance Workspace (EBW)**
Intellispace Cardiovascular (ISCV)*
ST80i A.02*,**
Forcare suite*
IntelliSpace ECG Management System B.00 (IECG)*, **
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
IntelliSpace Perinatal Revision (H, J, K)*,**
Xper IM*

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update D

 

Begin Update C: June 30, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)*
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
IntelliSpace Portal (ISP) Server& Workstation**
DAW**
ICCA (F, G)**
IntelliVue Guardian Software*
Efficia Central - SureSigns Monitor / CMS200
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3
eICU*
IntelliSpace Breast
PIIC Classic (L, M, N, N.01)
Extended Brilliance Workspace (EBW)**
Intellispace Cardiovascular (ISCV)*
ST80i A.02
Forcare suite*
IntelliSpace ECG Management System B.00 (IECG)*
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
IntelliSpace Perinatal Revision (F, J.x)*
Xper IM*

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update C

 

Begin Update B: June 7, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)*
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
IntelliSpace Portal (ISP) Server& Workstation**
DAW**
ICCA (F, G)**
IntelliVue Guardian Software*
Efficia Central - SureSigns Monitor / CMS200
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
PIIC Classic (L, M, N, N.01)
eICU*
IntelliSpace Breast
ST80i A.02
Extended Brilliance Workspace (EBW)**
Intellispace Cardiovascular (ISCV)*
Xcelera 4.1*
Forcare suite*
IntelliSpace ECG Management System B.00 (IECG)*
Xper IM*
Holter Recorder DigiTrak XT (DTXT) *
IntelliSpace Perinatal Revision (F, J.x)*

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update B

 

Begin Update A: May 22, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running Windows XP, Windows 7, Windows 2003 and Windows 2008. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)
Efficia Central - SureSigns Monitor / CMS200
eICU
Holter Recorder DigiTrak XT (DTXT) 
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)
ICCA (F, G)
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)
IntelliSpace ECG Management System B.00 (IECG)
IntelliSpace Perinatal Revision (F, J.x)
IntelliVue Guardian Software
ST80i A.02

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update A

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.

Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

DICOM Standard Cybersecurity Vulnerability Research (2 May 2019)

Publication Date: May 2, 2019

Update Date: June 6, 2019

 

Philips is aware of recently published findings by security researchers regarding the potential for cybersecurity vulnerabilities in medical imaging equipment and networks related to the Digital Imaging and Communications in Medicine (DICOM) standard, which is used for the exchange of medical images. The Philips global Product Security team is reviewing the published research for further analysis.

 

A number of the research study’s proposed defenses for the type of cyber-attack have long been advocated and implemented by Philips across our systems and products, including network and device environment hardening, as well as data encryption, limiting device Internet exposure and identity/password protection. Philips continues to be a strong proponent of device encryption and end-to-end encryption strategies are part of Philips’ design-for-security development and deployment of our products and systems.

 

At this time, a Philips product security analysis of imaging systems indicates limited exposure to this potential vulnerability, whether via network-based use or physical media. Philips imaging systems typically do not interpret or otherwise interact with the indicated DICOM “preamble” content, which has been identified as a possible vector for malicious code.

 

To date, the company has not received any reports of exploitation of these vulnerabilities or incidents from clinical use of Philips products that are associated with the type of attack demonstrated in published research. Additionally, Philips is not aware that the company’s devices were part of the research.

 

Philips welcomes collaboration with the security research community with regard to exploring strategies and methods to identify, address, and disclose known or potential cybersecurity threats to medical devices. Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. We are dedicated to helping our customers maintain the confidentiality, integrity, and availability of personal data, business data and the Philips hardware and software products that create and manage this data.

 

Philips operates under a global Product Security policy governing design-for-security in product and services creation, as well as risk assessment and incident response activities for vulnerabilities identified in existing products.

 

In a medical devices industry “first”, Philips has established a Security Center of Excellence (SCoE) to develop products, which are “cyber-resilient”.

 

We have also taken the lead in creating a Coordinated Vulnerability Disclosure (CVD) Policy, to collaborate with customers, security researchers, regulators and other agencies to help identify, address and disclose potential vulnerabilities in a safe and effective manner.

 

To fulfill our commitment to security, Philips maintains a global program to:

 

  • Develop, deploy, and support advanced security features for our products and services
  • Manage security events in the field. Philips participates in industry and government collaborations to help ensure product innovations and clinical information is produced and available at the highest level of quality, availability, and confidentiality. 
Philips Tasy EMR (30-April-2019)

Publication Date:  April 30, 2019

Update Date:  November 7, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips TASY EMR system Version 3.02.1744 and earlier (possible cross-scripting issue) and the Philips TASY Web Portal Version 3.02 1757 and earlier (possible information exposure issue).

This is an update to the April 2019 Coordinated Vulnerability Disclosure by Philips regarding this software, to add the TASY Web Portal issue.

 

Philips has become aware that these potential issues may allow an attacker with low skill to compromise patient confidentiality, system integrity, and/or system availability. Some of the affected vulnerabilities could be attacked remotely.

 

At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.

 

Philips advises customers to follow manufacturer instructions in the system configuration manual and not provide Internet access to the system without a Virtual Private Network (VPN). Customers are also advised to be on the last three (3) released versions, following the system software release schedule, and also upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Customers running the application on premise are alerted via release notes on changes to the system.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific Philips TASY EMR system are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Doomsday Docker (14-February-2019)

Publication Date:  February 14, 2019

Update Date: February 14, 2019

 

Philips is currently monitoring updates related to the recent advisory by National Institute of Standards and Technology (NIST) regarding a flaw in runc, Docker and Kubernetes’ container runtime. (See Advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-5736.) RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It is an open-source command-line tool for spawning and running containers.

 

As part of Philips’ product security policy and protocols, Health Suite Digital Platform (HSDP) is aware of the recently disclosed security issue that affects several open-source container management systems (CVE-2019-5736).  HSDP Operations reviewed the security bulletin and determined that the Cloud Foundry and container-host service environments are not vulnerable due to user namespaces being strictly enforced.  No action is required by clients to address this security issue. At this time, Philips has not received reports of these vulnerabilities affecting clinical use of company products.

 

Philips advises customers with product concerns relating to these vulnerabilities should send an email to productsecurity@philips.com. Further information regarding Philips’ recommendations regarding this event may be found at the Philips product security web site: https://www.philips.com/productsecurity

 

Customers with questions regarding their specific products are advised to contact their local Philips service support team or their regional service support. Philips contact information is available at the following web page: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions