Security Advisory
Search terms
Customer Support
Search terms
Philips Product Security Status documents have product-specific vulnerability updates and security-related information such as supported anti-virus software, OS security features, and remote service.
Each product has its own table and the products are separated by modality, i.e. Informatics, Ultrasound, Magnetic Resonance, etc. The Status Documents list known software vulnerabilities, the current status, and Recommended Customer Action.
Revised tables are posted regularly with the latest available information.
As part of our commitment to product security and customer service, Philips Healthcare supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHI.
Specifically, Philips Healthcare is using the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about its products.
The MDS² contains product specific security information such as:
The MDS², a universal reporting form which allows Philips Healthcare to supply its customers with model-specific information, is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA), and the Healthcare Information and Management Systems Society (HIMSS).
The form also contains security practice recommendations and explanatory notes from the manufacturer as well as detailed.
To register, send an e-mail to Incenter@philips.com providing the following information:
Once your request is processed, you will receive an email from GCS Helpdesk with login and passcode information.
Already registered?
Publication Date: February 20, 2020
Update Date: February 20, 2020
Philips is currently monitoring developments and updates related to the recent Bluetooth Low Energy (BLE) alert concerning the reported SweynTooth, a family of 12 vulnerabilities (CVE-2019-16336, CVE-2019-17519, CVE-2019-17517, CVE-2019-17518, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196, CVE-2019-17061, CVE-2019-17060, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194 ).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Bluetooth Low Energy (BLE) for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
According to Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Seminconductor, successful exploitation of these vulnerabilities allows an attacker in radio range to trigger deadlocks, crashes, and buffer overflows or completely bypass security depending on the circumstances.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Publication Date: January 16, 2020
Update Date: February 4, 2020
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Curve Ball or NSA Crypt or CryptoAPI spoofing vulnerability (CVE-2020-0601).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update B: February 4, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR) | Forcare Suite* | IntelliSpace Portal Workstation* |
| CareEvent* | Holter Recorder DigiTrak XT (CTXT)* | IntelliVue Guardian Software |
| CompuRecord G.01* | Illumeo 2.0* | IntraSight |
| Diagnostics Site Server (DSS) | Ingenia (Upgrade to R5 & Factory R5) | MobileDiagnost wDR |
| DigitalDiagnost C90 | Intellibridge Enterprise (IBE)* | Multiva/Prodiva |
| DoseWise Portal | IntelliSpace Cardiovascular (ISCV)* | PIC iX* |
| EchoNavigator | IntelliSpace Console Critical Care (ISCCC) | ST80i A.02 |
| eICU eCare Manager | IntelliSphere Critical Care and Anesthesia (ICCA)*,** | VSS Dashboard* |
| FocalPoint A.0/A.01* | IntelliSpace ECG Management System B.00 (IECG) | Xper IM* |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Begin Update A: January 21, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR) | Corsuim | Diagnostics Site Server (DSS) |
| DigitalDiagnost C90 | EchoNavigator | Holter Recorder DigiTrak XT (CTXT) |
| Illumeo 2.0 | Ingenia (upgrade to R5 and Factory R5) | IntelliSpace Connect |
| IntelliSpace Discovery 2.0 | IntelliSpace ECG Management System B.00 (IECG) | IntelliSpace Portal SErver |
| IntelliSpace Portal Workstation | MobileDiagnost wDR | Multiva/Prodiva |
| ST80i A.02 | | |
Publication Date: January 15, 2020
Update Date: January 31, 2010
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Windows RD Gateway and Windows Remote Desktop Client vulnerabilities (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update B: February 4, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR) | Epiq | Multiva |
| Affiniti | FlexCardio | Multiva/Prodiva |
| Allura (Centron, Clarity, Xper) | FocalPoint A.0/A.01 | PIC iX* |
| Azurion | Holter Recorder DigiTrak XT (DTXT)* | PIIC Classic |
| CareEvent* | Illumeo 2.0 | Prograde |
| ClearVue | Ingenia (upgrade to R5 & Factory R5) | ProxiDiagnost N90 |
| CombiDiagnost R90 | Intelibridge Enterprise (IBE)* | Sparq |
| CompuRecord (F.02, G.00, G.01)* | IntelliSpace Breast | SPhAERA (3.0 to 3.5, 3.6 & greater) |
| Core M2 | IntelliSpace Cardiovascular (ISCV)* | ST80i A.02* |
| Coronary Tools | IntelliSpace Console Critical Care (ISCCC) | SyncVision |
| CX50/30 | IntelliSpace Discovery 2.0 | UDM |
| Diagnostics Site Server (DSS) | IntelliSpace ECG Management System B.00 (IECG)* | ViewForum |
| DigitalDiagnost (C50, C90, Opta C50) | IntelliSpace Perinatal (ISP)* | Volcano Core Imaging System |
| DoseWise Portal* | IntelliSpace Portal (Server & Workstation) | Volcano Core Mobile Imaging System |
| DR Compact | IntelliVue Guardian Software* | VSS Dashboard* |
| DuraDiagnost (Compact and F30) | ISP Anywhere | Xcelera 4.1* |
| EasyDiagnost | ISP VL Caputre 1.1 Visible Light | XIRIS 8.3 |
| EchoNavigator | Juno DRF (5.7) | Xper IM* |
| eICU Care Manager | MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U)) | XtraVision |
| EP Navigator | MobileDiagnost (M50, Opta, and wDR) | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
End Update B
Begin Update A: January 21, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Access CT (6 & 16 Slice) | Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR) | Brilliance (Big Bore Radiology, CT 64, CT Big Bore, iCT, iCT SP) |
| CombiDiagnost R90 | Corsium | CT MX16 EV02 |
| Diagnostics Site Server (DSS) | DigitalDiagnost (C50, C90, Opta C50) | DR Compact |
| DuraDiagnost (Compact and F30) | EasyDiagnost | Holter Recorder DigiTrak XT (DTXT) |
| Ingenia (upgrade to R5 & Factory R5) | Ingenuity (Core, Core 128, Core128/Elite China, CT, CT Brazil, TF PET/CT, TF PET/CT RoHS systems) | IntelliSpace Breast |
| IntelliSpace Connect Release 1.0 | IntelliSpace ECG Management System B.00 (IECG) | IQon Spectral CT |
| Juno DRF | MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U)) | MobileDiagnost (M50, Opta and wDR) |
| Multiva | Multiva/Prodiva | Prograde |
| ProxiDiagnost N90 | SPhAERA (3.x & 4.x) | ST80i A.02 |
| Vereos | | |
**Information or patch available in Incenter
End Update A
Publication Date: January 14, 2020
Update Date: January 14, 2020
Philips is aware that Microsoft is ending Extended Support for the Windows 7 and Windows Server 2008 R2 operating systems on January 14, 2020.
As part of Philips product lifecycle management processes, product security policy, and associated protocols, and in anticipation of the expiration of Microsoft’s Extended Support period for Windows 7 and Windows Server 2008 R2, Philips has been evaluating Philips products and solutions that utilize these operating systems.
Philips is currently working to provide information regarding expiration of Microsoft extended support for Windows 7 and Windows Server 2008 as related to Philips products and solutions together with guidance to attain any further required product-specific information in support of any Philips products or solutions that use these Microsoft operating systems.
Philips products and solutions must be deployed and operated within Philips-approved product specifications as noted in their Instructions for Use. Also, as required by government regulations in the markets we operate in, all changes of configuration or software to Philips’ products or solutions (including operating system security updates and patches) may be implemented only by following Philips product-specific, verified and validated, authorized, and communicated customer procedures or field actions.
Contract-entitled customers and service representatives may access product-specific service documentation produced by
Philips product teams and made available to Philips product service support and/or service delivery platforms
such as Philips InCenter (https://incenter.medical.philips.com). Entitled customers are encouraged to request Philips InCenter access and reference product-specific information when posted. Customers are also encouraged to contact their local service support team or regional product service support for information specific to their Philips’ products or environments.
Philips is providing the list below in order to assist our customers in identifying Philips’ products and solutions running on Microsoft Windows 7 or Windows Server 2008 R2. However, the list below is not exhaustive for all affected Philips products, and it includes:
| Access CT 6/16 – 2.x | Brilliance Big Bore / 4.2 | Brilliance iCT/4.x, iCT SP/4.x, 64/4.x |
| CareEvent * | CompuRecord * | Core Imaging S5 3.5, M2 4.2, |
| Diagnostic Site Server (DSS) | DynaCAD Breast and Prostate | DynaSuite Neuro 3 |
| eCareManager * | eICU * | G3 Alice6 * |
| HCIS RIS 2010 10.x Clients | HCIS Vue PACS 11.3, Vue PACS 11.4 * | HCIS Vue RIS 11.0.12.x, |
| HeartStart Configure 3.1 * | HeartStart Data Messenger 4.3.1 * | HeartStart Event Review 3.x, 4.x *,**** |
| HeartStart Event Review Pro 5.0 * | IBE * | IEM v11.0x * |
| Incisive CT/1.0 | Ingenuity CT / 4.x, Core, Core 128 | Ingenuity TF/4.0.x |
| IntelliSpace Critical Care and Anesthesia (ICCA) * | IntelliSpace ECG Management System B.00 (IECG) * | IntelliSpace ECG Management System B.00 (IECG) * |
| IntelliSpace PACS 4.4 | IntelliSpace Perinatal * | IntelliVue Guardian Software * |
| ISCV 1.x, 2.x, 3.x, 4.x * | ISP Anywhere 1.3 | ISP6/7/8 |
| Mobile 3.5 | MX 16/2.x | Oncad |
| PIIC iX, PIIC Classic * | Respironics Actiware * | SensaVue HD and fMRI |
| Sleepware G3 * | SPhAERA (3.0 to 3.5) **** | ST80i A.02 * |
| Syncvision 4.2 | Tempus ReachBak i2i * | UDM 1.1, 2.1 |
| Vereos/2.0.x | Viewforum for Fixed Systems V6.3V1L9 | Viewforum for Mobile Systems V6.3V1L7, V6.3V1L8 |
| Vue RIS 11.0.14.x | Xcelera 4.1 * | XIRIS 8.3 |
| Xper Flex Cardio | Xper IM 1.5, 2.x * | |
Information available from Philips InCenter, local service support, or regional product service support.
* Software only products with customer owned Operating Systems
**** End of Life (EoL)
If customers still have questions, all customers are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products or solutions.
Publication Date: December 19, 2019
Update Date: December 19, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding specific Philips Veradius Unity (718132) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 2016 and August 2018. In addition, Pulsera (718095), and Endura (718075) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 26 June 2017 and 07 August 2018.
Philips has become aware that affected routers may have inadequate encryption strength, which may allow an unauthorized user to compromise the router management interface.
Data confidentiality is protected by internal system design preventing exploitation of the Dual WAN router vulnerability. Even if the Dual Wan Router vulnerability is exploited there is no possible access to patient data or interference with usage of the system. Thus, the medical device is safe to use and has no security risk.
Philips has a solution available for customers who have the wireless or ViewForum option in their product to update the configuration of the Dual WAN router.
To contact their local Philips service support team, or regional service support, Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS CISA, which is issuing an advisory.
Publication Date: November 14, 2019
Update Date: December 12, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge EC40 and EC80 Hub.
Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data. No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.
Philips plans a new release to remediate this issue by the end of Q3 2020. Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.
Users with questions regarding their specific Philips IntelliBridge EC40/EC80 Hub installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-19-318-01
Publication Date: October 24, 2019
Update Date: October 24, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliSpace Perinatal obstetrics information system.
Philips has become aware that for Versions K and prior of the Philips IntelliSpace Perinatal system, a potential vulnerability may allow an unauthorized user access to system resources. This could impact confidentiality and integrity of the system and application. To exploit this issue, an attacker would require physical access to a locked application screen, or a remote desktop session host application.
Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue. Philips is providing customers with a detailed update to Philips IntelliSpace Perinatal documentation to provide clear guidance on recommended mitigations for this issue. This documentation is available to customers on Philips InCenter. Philips will be further assessing potential mitigations in the next minor product update, which is planned for the end of 2020.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.
Users with questions regarding their specific Philips IntelliSpace Perinatal installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: September 12, 2019
Update Date: September 12, 2019
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding Versions A and B of the Philips IntelliVue Wireless Local Area Network (WLAN) module available in specific Philips IntelliVue Patient Monitors.
Philips has become aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device’s local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear.
At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem, or evidence of patient identifiers compromised.
To address this issue, Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. Regarding other versions, WLAN Version A will be addressed via software patch from Philips estimated to be available in Incenter by the end of 2019. The Philips WLAN Version B is obsolete. Wireless network access should be controlled by authentication and authorization (e.g. WPA2), which are supported by Philips. Additional mitigations include implementing a firewall rule on the customer wireless network, and further controls on physical access to the system.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their Philips IntelliVue WLAN Module software are advised by Philips to contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: August 29, 2019
Update Date: August 29, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips HDI 4000 Ultrasound system. This system was discontinued in 2006, and product support ceased in 2013.
Philips has become aware that if the Philips HDI 4000 Ultrasound system is running on outdated, unsupported operating systems, such as Windows 2000, an unauthorized user may be able to access ultrasound images or compromise image integrity.
Philips has not received any reports of exploitation of these vulnerabilities or of incidents from clinical use that we have been able to associate with this problem. This issue does not affect patient safety, system operations, or availability.
Philips recommends as mitigation that users implement controls to limit access to the network and consider replacing the system with a newer technology and supported operating system.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips HDI 4000 Ultrasound system installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: August 15, 2019
Update Date: December 13, 2019
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability named DejaBlue (CVE-2019-1181 and CVE-2019-1182).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update B: December 13, 2019
| Affiniti (30,50,70) | IE33 | Juno DRF(5.7) |
| Analytics 1.1 | IEM v11.01-v11.04** | MicroDose SI (L50) (9.0 P1,P2,P3) |
| ClearVue | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI U (L50 U)(9.0 P1,P2,P3) |
| CX50/30 | IntelliSpace Cardiovascular (ISCV 1.x - 3.x))* | Sparq |
| DSS | IntelliSpace PACS 4.4 | SPhAERA`(3.6 & up) |
| Efficia Central - SureSigns Monitor / CMS200(C.01)** | IntelliSpace PACS 4.4.55x | UDM(1.1, 2.1) |
| Envisor | IntelliSpace Portal Server(7,8,9)** | VISIQ |
| Epiq (5/7) | IntelliSpace Portal Workstation(7,8,9,10)** | Xcelera 4.1 |
| FocalPoint (A.0/A.01)** | ISP Anywhere(1.3) | XIRIS (8.1, 8.3) |
| IBE (B.02 - B.09)*,** | ISP VL Caputre 1.1 Visible Light | Xper IM(1.5, 2.x) |
| IDM | IU22 | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
End Update B
Publication Date: August 1, 2019
Update Date: December 11, 2019
Security researchers at Armis have disclosed 11 different zero-day vulnerabilities within Wind River’s VxWorks, a real-time operating system used in over 2 billion embedded systems that include medical devices, routers, VOIP phones and mission-critical infrastructure equipment. The collection of vulnerabilities, which Armis refers to as "Urgent/11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, six are deemed critical. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is currently monitoring developments and updates related to the recent published advisory (ICSA-19-211-01) concerning the reported 11 CVEs as referred to as Urgent/11. In the advisory, there are several versions of VxWorks listed as not vulnerable, which Philips has taken into consideration for product evaluation and analysis.
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing VxWorks for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. VxWorks has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update E: December 11, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva and Achieva 3.0T (R5.3, R5.4 and higher)*** | HDI 3500 **** | Multiva/Prodiva (R5.4)*** |
| BrightView SPECT(1.x)*** | HDI 3000 **** | Smart-hopping Access Point Controller (for MX40 and Telemetry products)** |
| BrightView X(2.x)*** | Ingenia (R4, R5.3, R5.4 and higher)*** | Zenition** |
| BrightView XCT(2.x)*** | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | |
| GEOPC (Component of Allura & Azurion) *** | Multiva (R5.3, R5.4)*** | |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update E
Begin Update D: September 11, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva and Achieva 3.0T (R5.3, R5.4 and higher)*** | GEOPC (Component of Allura & Azurion) *** | HDI 3000 **** |
| HDI 3500 **** | Ingenia (R4, R5.3, R5.4 and higher)*** | Multiva (R5.3, R5.4)*** |
| Smart-hopping Access Point Controller (for MX40 and Telemetry products)** | Multiva/Prodiva (R5.4)*** | Zenition** |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update D
Begin Update C: August 15, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva and Achieva 3.0T (R5.3, R5.4 and higher)*** | GEOPC (Component of Allura & Azurion) *** | HDI 3000 **** |
| HDI 3500 **** | Ingenia (R4, R5.3, R5.4 and higher)*** | Multiva (R5.3, R5.4)*** |
| Smart-hopping Access Point Controller (for MX40 and Telemetry products) | Multiva/Prodiva (R5.4)*** | Zenition** |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update C
Begin Update B: August 8, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
Update B supersedes products listed in Update A as they were determined to be running non-vulnerable versions of VxWorks.
| GEOPC (Component of Allura & Azurion) *** | HDI 3000 **** | HDI 3500 **** |
| Smart-hopping Access Point Controller (for MX40 and Telemetry products) | Zenition** | |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update B
Begin Update A: August 2, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
<Reference table in Update B>
**Information or patch available in Incenter
End Update A
Publication Date: July 11, 2019
Update Date: July 11, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Holter 2010 Plus electrocardiogram (EKG) software.
Philips has become aware that under certain specific conditions, an unauthorized user with high skill level may potentially be able to access software options not purchased by the customer. The threat if exploited could lead to the enablement of system options not purchased. It does not impact patient safety, patient data integrity or confidentiality or system operations.
Philips recommends users implement role-based access controls to control physical access to the system. Further controls are provided by the multiple components required to exploit the vulnerability.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips Holter 2010 Plus software installation are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions.
Publication Date: May 15, 2019
Update Date: December 10, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Analytics 1.1 | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)** |
| CompuRecord (F.02, G.00, and G.01)* | Intellispace Cardiovascular (ISCV)*,**** | MR** Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3 |
| Diagnostics Authoring Workspot (DAW)** | IntelliSpace ECG Management System B.00 (IECG)*, ** | Oncad |
| Diagnostics Site Server (DSS) | IntelliSpace PACS (4.4, 4.4.551, 4.4.553)*** | PIIC Classic (L, M, N, N.01)** |
| DynaCAD Breast and Prostate* | IntelliSpace Perinatal Revision (H, J, K)*,** | PIIC iX (A.0, B.0, B.02)** |
| DynaSuite Neuro 3* | IntelliSpace Portal (ISP) Server& Workstation** | SensaVue HD & FMRI |
| Efficia Central - SureSigns Monitor / CMS200 | IntelliVue Guardian Software*,** | ST80i A.02*,** |
| eICU*,** | Invivo Esys | UDM (v1.1, 2.1)*** |
| Extended Brilliance Workspace (EBW)** | ISEE** | UroNav (1.x/2.x) |
| Forcare suite* | ISP Anywhere (v1.3) | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | ISP VL Caputre 1.1 Visible Light (v1.1) | XIRIS (8.2, 8.3) |
| IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | Juno DRF (5.0-.6, 5.7)** | Xper IM*,** |
| ICCA (F, G)*,** | Lung Cancer Screening Solution* | |
| IDM | MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)** | |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)** | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
***Philips hosting business validated and deployed the patch to the managed infrastructure
****Patch is tested and can be installed via the windows update mechanism
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Analytics 1.1 | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI L50 (9.0 P1, P2, P3, P4, P5) |
| CompuRecord (F.02, G.00, and G.01)* | Intellispace Cardiovascular (ISCV)* | MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5) |
| Diagnostics Authoring Workspot (DAW)** | IntelliSpace ECG Management System B.00 (IECG)*, ** | MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3 |
| Diagnostics Site Server (DSS) | IntelliSpace PACS (4.4, 4.4.551, 4.4.553) | PIIC Classic (L, M, N, N.01)** |
| Efficia Central - SureSigns Monitor / CMS200 | IntelliSpace Perinatal Revision (H, J, K)*,** | PIIC iX (A.0, B.0, B.02)** |
| eICU*,** | IntelliSpace Portal (ISP) Server& Workstation** | ST80i A.02*,** |
| Extended Brilliance Workspace (EBW)** | IntelliVue Guardian Software* | UDM (v1.1, 2.1) |
| Forcare suite* | ISEE | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | ISP Anywhere (v1.3) | XIRIS (8.2, 8.3) |
| IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | ISP VL Caputre 1.1 Visible Light (v1.1) | Xper IM* |
| ICCA (F, G)** | Juno DRF (5.0-.6, 5.7) | |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3) | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01)* | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | IntelliSpace Portal (ISP) Server& Workstation** |
| Diagnostics Authoring Workspot (DAW)** | ICCA (F, G)** | IntelliVue Guardian Software* |
| Efficia Central - SureSigns Monitor / CMS200 | IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3 |
| eICU*,** | IntelliSpace Breast | PIIC Classic (L, M, N, N.01)** PIIC iX (A.0, B.0, B.02)** |
| Extended Brilliance Workspace (EBW)** | Intellispace Cardiovascular (ISCV)* | ST80i A.02*,** |
| Forcare suite* | IntelliSpace ECG Management System B.00 (IECG)*, ** | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | IntelliSpace Perinatal Revision (H, J, K)*,** | Xper IM* |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01)* | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | IntelliSpace Portal (ISP) Server& Workstation** |
| DAW** | ICCA (F, G)** | IntelliVue Guardian Software* |
| Efficia Central - SureSigns Monitor / CMS200 | IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3 |
| eICU* | IntelliSpace Breast | PIIC Classic (L, M, N, N.01) |
| Extended Brilliance Workspace (EBW)** | Intellispace Cardiovascular (ISCV)* | ST80i A.02 |
| Forcare suite* | IntelliSpace ECG Management System B.00 (IECG)* | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | IntelliSpace Perinatal Revision (F, J.x)* | Xper IM* |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01)* | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | IntelliSpace Portal (ISP) Server& Workstation** |
| DAW** | ICCA (F, G)** | IntelliVue Guardian Software* |
| Efficia Central - SureSigns Monitor / CMS200 | IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | PIIC Classic (L, M, N, N.01) |
| eICU* | IntelliSpace Breast | ST80i A.02 |
| Extended Brilliance Workspace (EBW)** | Intellispace Cardiovascular (ISCV)* | Xcelera 4.1* |
| Forcare suite* | IntelliSpace ECG Management System B.00 (IECG)* | Xper IM* |
| Holter Recorder DigiTrak XT (DTXT) * | IntelliSpace Perinatal Revision (F, J.x)* | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running Windows XP, Windows 7, Windows 2003 and Windows 2008. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01) | Efficia Central - SureSigns Monitor / CMS200 | eICU |
| Holter Recorder DigiTrak XT (DTXT) | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10) | ICCA (F, G) |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04) | IntelliSpace ECG Management System B.00 (IECG) | IntelliSpace Perinatal Revision (F, J.x) |
| IntelliVue Guardian Software | ST80i A.02 | |
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.
Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Publication Date: May 2, 2019
Update Date: June 6, 2019
Philips is aware of recently published findings by security researchers regarding the potential for cybersecurity vulnerabilities in medical imaging equipment and networks related to the Digital Imaging and Communications in Medicine (DICOM) standard, which is used for the exchange of medical images. The Philips global Product Security team is reviewing the published research for further analysis.
A number of the research study’s proposed defenses for the type of cyber-attack have long been advocated and implemented by Philips across our systems and products, including network and device environment hardening, as well as data encryption, limiting device Internet exposure and identity/password protection. Philips continues to be a strong proponent of device encryption and end-to-end encryption strategies are part of Philips’ design-for-security development and deployment of our products and systems.
At this time, a Philips product security analysis of imaging systems indicates limited exposure to this potential vulnerability, whether via network-based use or physical media. Philips imaging systems typically do not interpret or otherwise interact with the indicated DICOM “preamble” content, which has been identified as a possible vector for malicious code.
To date, the company has not received any reports of exploitation of these vulnerabilities or incidents from clinical use of Philips products that are associated with the type of attack demonstrated in published research. Additionally, Philips is not aware that the company’s devices were part of the research.
Philips welcomes collaboration with the security research community with regard to exploring strategies and methods to identify, address, and disclose known or potential cybersecurity threats to medical devices. Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. We are dedicated to helping our customers maintain the confidentiality, integrity, and availability of personal data, business data and the Philips hardware and software products that create and manage this data.
Philips operates under a global Product Security policy governing design-for-security in product and services creation, as well as risk assessment and incident response activities for vulnerabilities identified in existing products.
In a medical devices industry “first”, Philips has established a Security Center of Excellence (SCoE) to develop products, which are “cyber-resilient”.
We have also taken the lead in creating a Coordinated Vulnerability Disclosure (CVD) Policy, to collaborate with customers, security researchers, regulators and other agencies to help identify, address and disclose potential vulnerabilities in a safe and effective manner.
To fulfill our commitment to security, Philips maintains a global program to:
Publication Date: April 30, 2019
Update Date: November 7, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips TASY EMR system Version 3.02.1744 and earlier (possible cross-scripting issue) and the Philips TASY Web Portal Version 3.02 1757 and earlier (possible information exposure issue).
This is an update to the April 2019 Coordinated Vulnerability Disclosure by Philips regarding this software, to add the TASY Web Portal issue.
Philips has become aware that these potential issues may allow an attacker with low skill to compromise patient confidentiality, system integrity, and/or system availability. Some of the affected vulnerabilities could be attacked remotely.
At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.
Philips advises customers to follow manufacturer instructions in the system configuration manual and not provide Internet access to the system without a Virtual Private Network (VPN). Customers are also advised to be on the last three (3) released versions, following the system software release schedule, and also upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Customers running the application on premise are alerted via release notes on changes to the system.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips TASY EMR system are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Publication Date: February 14, 2019
Update Date: February 14, 2019
Philips is currently monitoring updates related to the recent advisory by National Institute of Standards and Technology (NIST) regarding a flaw in runc, Docker and Kubernetes’ container runtime. (See Advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-5736.) RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It is an open-source command-line tool for spawning and running containers.
As part of Philips’ product security policy and protocols, Health Suite Digital Platform (HSDP) is aware of the recently disclosed security issue that affects several open-source container management systems (CVE-2019-5736). HSDP Operations reviewed the security bulletin and determined that the Cloud Foundry and container-host service environments are not vulnerable due to user namespaces being strictly enforced. No action is required by clients to address this security issue. At this time, Philips has not received reports of these vulnerabilities affecting clinical use of company products.
Philips advises customers with product concerns relating to these vulnerabilities should send an email to productsecurity@philips.com. Further information regarding Philips’ recommendations regarding this event may be found at the Philips product security web site: https://www.philips.com/productsecurity
Customers with questions regarding their specific products are advised to contact their local Philips service support team or their regional service support. Philips contact information is available at the following web page: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
