Publication Date: September 11, 2017
Update Date: September 11, 2017
Philips is releasing this advisory, confirming the findings of a customer submitted report that identified two vulnerabilities in the Philips’ IntelliVue MX40 Patient Worn Monitor for use with wireless local area networks (WLAN). Philips has produced a software update that fixes one of the identified vulnerabilities and provides mitigations for the other vulnerability. Philips is planning to release an additional software update in 2017 to address the remaining vulnerability.
Philips has received no reports of incidents from clinical use that we have been able to associate with this problem.
Partial Re-Association to Central Monitor [Improper Cleanup on Thrown Exception]:
Under specific 802.11 network conditions, a partial re-association of the MX40 Patient Worn Monitor (WLAN) to a compatible central monitoring system (Information Center”) is possible. In this state, although the Information Center provides a visible and audible “No Data Tele” INOP alert, the MX40 WLAN itself enters telemetry mode, i.e., its screen turns off in one minute and local alarming is disabled.
This potential issue was addressed with an IntelliVue MX40 software update (version B.06.18) issued in March 2017, which has been verified in mitigating the impact of network conditions on the device, and to ensure correct operation, messaging and alarm functions.
Wi-Fi Access Point (AP) “Blacklisting” [Improper Handling of Exceptional Conditions]:
Several specific 802.11 Wi-Fi network management instructions might not de-authenticate (disconnect) the MX40 from the access point (AP) without also placing the AP on a security AP blacklist to block or prevent further use of the AP without intervention by staff. While AP blacklisting from the MX40 is an intended security feature of MX40 in response to certain Wi-Fi management messages, several Wi-Fi messages have been identified to invoke AP blacklisting when not required and could be invoked either by environmental Wi-Fi network conditions or a crafted script.
This issue is mitigated by MX40 design and software update B.06.18 whereby MX40 switches into local mode with messaging and alarming on the local device and at the Central Station, thus alerting hospital staff when MX40 disconnects from the AP and disassociates from central. While mitigated, Philips recognizes the potential gap and concern and will release an MX40 software update targeted within 2017 to correct the intended alignment between Wi-Fi management messages and security blacklisting of the AP.
To date, the necessary network conditions for both issues (partial re-association, AP blacklisting) have only been found during system testing by a customer and Philips. Nonetheless, if either of the issues occurred while monitoring a patient, it could result to a delay in treatment. Philips therefore recommends customers update to MX40 software version B.06.18.
Under the terms of Philips’ Responsible Disclosure Policy, Philips worked with the customer and global and U.S. government agencies and related organizations to draft and distribute an advisory concerning this potential issue.
Publication Date: August 17, 2017
Update Date: August 17, 2017
Philips has confirmed the findings of a customer submitted complaint and vulnerability report that the Philips DoseWise Portal (DWP) application (version 18.104.22.1683 and 22.214.171.12469) contains security vulnerabilities of hard-coded database credentials stored in clear text (unencrypted) within backend system files behind current production security defenses.
Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.
For an attacker to use or exploit these vulnerabilities to access the underlying DWP database, elevated privileges are first required in order for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI). Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability.
The Philips DoseWise Portal (DWP) is a radiation dose management solution which simplifies the collection, analysis and interpretation of patient radiation dose metrics and acquisition parameters across x-ray medical imaging devices. DoseWise Portal captures, tracks, alerts and reports on patient radiation dose to support users to perform statistical analysis of imaging equipment radiation output. This to provide quantitative trends and statistics that users may use as input in planning and tracking dose management improvement activities. DWP is a standalone Class A software in accordance with IEC 62304, classified as a low-safety-risk medical device.
Philips is scheduled to release a new product version and supporting product documentation in August 2017.
- Ensure network security best practices are implemented and
- Block Port 1433, except where a separate SQL server is used.
Philips has notified all customers of the identified vulnerabilities and will coordinate with customers to schedule updates. Philips encourages users to only use Philips-validated and authorized changes for the DoseWise Portal system supported by Philips’ authorized personnel or under Philips’ explicit published directions for product patches, updates, or releases.
Customers with questions regarding their specific DoseWise Portal installations should contact their local Philips service support team or their regional service support.
Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.
Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.