Customer Support

Committed to proactively addressing the security concerns of our customers

To guide our efforts, we have created a global policy to address the evolving nature of security in medical technology, including product feature requirements, security threat assessment and tracking, and compliance with local government standards.

Security Advisory & Archive

Philips iSite and IntelliSpace PACS Vulnerabilities (28-MAR-2018)

Publication Date:  March 28, 2018

Update Date:  March 28, 2018

 

Philips is a committed leader in medical device cybersecurity. Governed by our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of potential system security vulnerabilities, Philips is proactively issuing an advisory concerning potential vulnerabilities that may affect Philips iSite and IntelliSpace PACS (Picture Archiving and Communications Systems). 

 

Philips has confirmed that Philips iSite and IntelliSpace PACS contain security vulnerabilities that under certain specific conditions could impact or potentially compromise patient confidentiality, system integrity, and/or system availability.  To remediate the risk of these identified vulnerabilities, Philips is offering customers a number of potential options to select, based on their requirements.

 

Philips’ analysis has shown that these issues, if fully exploited may allow attackers of low skill to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information, or potentially cause a system crash.  Philips has identified that some of the affected vulnerabilities could be attacked remotely.  Exploits that could target some of the vulnerabilities are known to be publicly available.

 

At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.

 

Philips IntelliSpace PACS runs in a managed service environment which adheres to ICS-CERT recommendations to minimize the risk of exploitation (Virtual Private Network, Firewall isolation from other networks, no internet access). In addition, Philips employs an automated Antivirus solution that continuously monitors and remediates threats across all systems in the managed service environment. Philips has a monthly recurring patch program which all IntelliSpace PACS users are encouraged to participate. Customers who participate in this program receive all Philips approved operating system and application patches in a timely fashion.

 

In addition, in 2016 Philips announced software updates and has controlling mitigations on the affected PACS systems to further limit the risk and exploitability of these vulnerabilities. The Philips iSite 3.6 platform is currently at its end of life (EoL) and end of service (EoS). 

Philips recommends three paths that customers may select depending on their particular situation, which are offered by Philips at no charge for full service delivery model contracts:

 

  • The simplest and most straightforward option is to enroll in Philips recurring patching program, this will remediate 86% of all known vulnerabilities.
  • A more robust option is to enroll in Philips recurring patching program and updating system firmware.  This option will remediate 87% of all known vulnerabilities including all known critical vulnerabilities.
  • The most robust option by Philips is to enroll in the recurring patching program and update system firmware and upgrade to IntelliSpace PACS 4.4.55x with Windows operating system 2012, which addresses product hardening. This option remediates 99.9% of all the known vulnerabilities including all critical vulnerabilities.

 

Philips will continue to add cybersecurity vulnerability remediation improvements through our Secure Development Lifecycle (SDL) as threats continue.

 

Philips has reported these potential vulnerabilities and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific IntelliSpace PACS solutions are advised by Philips to contact their Customer Success Manager (CSM), Market Success Leader (MSL), local Philips service support team, or regional service support. Philips contact information is available at the following location:

Philips Alice 6 System Vulnerabilities (26-MAR-2018)

Publication Date:  March 26, 2018

Update Date:  March 26, 2018

 

As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of potential system security vulnerabilities, the company is proactively issuing an advisory concerning a potential, low-risk security vulnerability that may affect the Philips Alice 6 Polysomnography System (PSG).

 

Philips has identified hard-coded credentials and clear text storage and transmission of patient personal health information vulnerabilities in Philips Alice 6 devices. Philips has updated product documentation and will release a new version that mitigates these vulnerabilities. These vulnerabilities could potentially be exploited remotely.

 

Successful exploitation may allow an attacker to gain visibility to usernames/passwords and personal data. Insufficient encryption and cryptographic integrity checks can lead to altered, corrupted, or disclosed personal data. Disclosure of personal data can occur by replacing a trusted node with a malicious node.

 

Philips is scheduled to release a new product version and supporting product documentation in December 2018. For all users of Alice 6 version up through R8.0.2, Philips will make an update available. This update will introduce HTTPS for remote connections and eliminates hardcoded/fixed password vulnerabilities.

 

Philips will provide users with notification of the availability of the update. Users will be able to apply the update without Philips assistance.

 

Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. Philips has taken the lead in creating a Responsible Disclosure policy, to collaborate with customers, security researchers, regulators and other agencies to help proactively identify, address and disclose potential vulnerabilities in a safe and effective manner.

 

Users with questions regarding their specific Alice 6 solutions are advised by Philips to contact their local Philips service support team or regional service support.

Philips IntelliSpace Portal Vulnerabilities (26-FEB-2018) (Updated 18-APR-2018)

Publication Date:  February 26, 2018

Update Date:  April 18, 2018

 

As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of a potential system security vulnerability, the company issued a proactive advisory concerning potential issues with Versions 8.0.x and 7.0.x of the Philips IntelliSpace Portal clinical imaging visualization and analysis solution. NOTE: no incidents of security breach have been reported as a result of these potential vulnerabilities. 

 

Upon disclosing the advisory, it was subsequently published by ICS-CERT – Industrial Control Systems Cyber Emergency Response Team (Advisory ICSMA-18-058-02 Release Date: February 27, 2018), consisting of 6 identified potential issues.  

 

Philips is providing you with more detailed information about the nature of the potential issues reported, the assessment of security vulnerabilities related to these issues, and the mitigation plan to address them.

 

Below are the potential issues, as reported, with a brief explanation about the source of the issue, and mitigation plan:

ICS-CERT DESCRIPTION

REASON/RESPONSE

MITIGATION

INFORMATION EXPOSURE CWE-200

The ISP has multiple information exposure vulnerabilities that could allow an attacker to gain unauthorized access to sensitive information.

Follow Philips recommendations on installing Microsoft security updates. 
Verify that MS17-010 -  Security Update for Microsoft Windows SMB Server (4013389) is installed on the ISP system 

PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264

The ISP has multiple permission, privilege and access control vulnerabilities that could allow an attacker to gain unauthorized access and in some cases escalate their level of privilege or execute arbitrary code.

Access permissions and system configuration items should be reconfigured to assure tighter access control

 

Will be addressed in the next Service Pack*

LEFTOVER DEBUG CODE CWE-489

The ISP has a vulnerability where code debugging methods are enabled, which could allow an attacker to remotely execute arbitrary code during runtime.

IMPROPER INPUT VALIDATION CWE-20

The ISP has multiple input validation vulnerabilities that could allow a remote attacker to execute arbitrary code or cause the application to crash.

UNQUOTED SEARCH PATH OR ELEMENT CWE-428

An unquoted search path or element vulnerability has been identified, which may allow an authorized local user to execute arbitrary code and escalate their level of privileges.

Parts of ISP legacy code is based on previous software security standards. Current software practices will be in line with updated security standards
Will be addressed in the next Service Pack*
Will be addressed in the next Service Pack*
Will be addressed in the next Service Pack*

CRYPTOGRAPHIC ISSUES CWE-310

The ISP has multiple cryptographic vulnerabilities that could allow an attacker to gain unauthorized access to resources and information

  1. Current ISP versions implement legacy encryption protocols.  Next ISP service pack will include updated cryptographic protocols.
  2. Customers shall use purchased or generated cryptographic certificate.

 

  1. Software-related issues will be addressed in the next Service Pack
  2. Make sure appropriate certificate is purchased or generated, and installed on the ISP system

*Philips is actively developing and planning to issue software updates to mitigate these potential issues:

• ISP 7.0 Corrective Version (Service Pack 4) is planned to be released by end-June, 2018

• ISP 8.0 Corrective Version (Service Pack 3) is planned to be released by end-December, 2018

 

Due to the nature of these issues, Philips recommends you follow the guidelines provided here:

1. To address INFORMATION EXPOSURE CWE-200 (High Risk) - Verify that MS17-010 -  Security Update for Microsoft Windows SMB Server (4013389) is installed on the ISP system.  

2. Due to the low probability and severity of compromise (risk assessment) of the other possible issues, Philips’ recommendation is to continue using the system until a corrective version/service pack is provided.

 

Customers with questions regarding their specific IntelliSpace Portal installations are advised by Philips to contact their local Philips service support team or their regional service support. Philips contact information is available at the following location: 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Philips IntelliSpace Cardiovascular Vulnerabilities (24-JAN-2018)

Publication Date:  January 24, 2018

Update Date:  January 24, 2018

 

Philips has confirmed the findings of a customer submitted complaint of a vulnerability affecting versions 2.3.0 and earlier of the Philips IntelliSpace Cardiovascular (ISCV) cardiac image and information management system. If the IntelliSpace Cardiovascular system is used with an Electronic Medical Record (EMR) in Kiosk mode configured with Windows authentication, there is a possibility that the user may not be properly logged out if the browser is not closed at the end of software use. As a result, a subsequent user of the EMR system, who launches ISCV, will be logged in with the credentials of the previous user. This reported vulnerability may allow an attacker to gain unauthorized access to sensitive information stored on the system and modify this information.

 

Philips advises users to close the browser at the end of each session, rather than only logging out, to mitigate this potential issue, or to change the authentication configuration to use encrypted logon from the EMR. In this configuration, Windows authentication is not used therefore the vulnerability is not applicable.

 

At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that have been able to associate with this problem. The 3.1.0 version of the software will remediate the issue.

 

Customers with questions regarding their specific ISCV or Xcelera installation should contact their local Philips service support team or their regional service support. In alignment with Philips’ Responsible Disclosure Policy and U.S. FDA Post-Market requirements, Philips worked with the customer who submitted the vulnerability observation and appropriate government agencies to draft and distribute a public security advisory concerning this vulnerability.

Meltdown & Spectre Global Security Issue (05-JAN-2018)

Publication Date:  January 5, 2018
Update Date: February 28, 2018

 

Philips is currently monitoring and actively testing updates related to the recently discovered Meltdown and Spectre global security vulnerabilities. As part of the company’s product security policy and protocols, Philips’ global product security team is actively evaluating potential impacts on Philips solutions. At this time, Philips has not received reports of these vulnerabilities affecting clinical use of company products.

 

Meltdown and Spectre are two techniques researchers have discovered that circumvent protections exposing nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications. These security vulnerabilities have been globally reported as known issues with Intel, AMD and ARM chips and are not linked to specific individual products or implementations. These flaws are forcing a redesign of the kernel software present in Windows, Mac, and Linux operating systems present on machines running Intel, AMD and ARM chips.

 

Meltdown allows malicious programs to gain access to higher-privileged parts of a computer's memory, while Spectre steals data from the memory of other applications running on a machine. Currently researchers say that Meltdown is limited to Intel chips, and Spectre attacks Intel, AMD, and ARM processors. Threat actors need access to an enterprise network or a network connection to a specific device to exploit the vulnerability. There are no examples of either exploits in the wild or weaponization of an exploit at this time.

 

Microsoft has released updates to help mitigate these vulnerabilities. A Linux patch is also currently available. Testing and implementation of these patches by third parties including cloud service providers is reportedly currently underway. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips products and solutions for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating for further actions or updates to potentially affected Philips products.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips products (including operating system security updates and patches) are implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Customers entitled by service-contract to use Philips InCenter are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter. All customers with and without service contracts are encouraged to contact their local service support team or regional product service support as needed for current information specific to their products or Philips deployed installations as information becomes available.

Philips IntelliSpace Cardiovascular and Xcelera Vulnerabilities (13-NOV-2017)

Publication Date:  November 13, 2017
Update Date:  November 13, 2017

 

Philips has confirmed testing observations submitted into Philips by a Philips customer that the ISCV application (version 2.2.0.0) contains a security vulnerability that under certain specific conditions may result in the storage of username and password credentials in clear text within one or more unencrypted system log files, configuration files, or backup files.  Philips has further identified that certain conditions of the same security vulnerability also affect potentially all product versions of Philips ISCV (2.3.0 and earlier) and Xcelera (R4.1L1 and earlier).

 

Philips has received no reports of exploitation of these vulnerabilities or incidents from systems in clinical use that we have been able to associate with this problem.

 

To remediate this vulnerability, Philips initiates a voluntary medical device correction targeted to be issued for all ISCV systems affected by this vulnerability.  Philips is producing software updates for all ISCV and latest Xcelera versions, some of which are available upon request at the time of this advisory (ISCV 1.x, 2.2) for install while other versions are in process of development to be completed by end of 2017.  As ISCV updates become available, they are being aligned into a proactive field change order (reference FCO83000202) for Philips to communicate and remediate the identified vulnerability conditions for affected customers.

 

Customers with questions regarding their specific ISCV or Xcelera installation should contact their local Philips service support team or their regional service support.

 

In alignment with Philips’ Responsible Disclosure Policy and U.S. FDA Post-Market requirements, Philips worked with the customer who submitted the vulnerability observation and appropriate government agencies to draft and distribute a public security advisory concerning these vulnerabilities.

KRACK WPA2 vulnerability for Wi-Fi (31-OCT-2017)

Publication Date: October 31, 2017

Update Date: October 31, 2017

 

Philips is aware of the identified Key Reinstallation Attacks (KRACK) security vulnerability affecting electronic products that rely on the WPA2 wireless encryption technology, the most current and commonly used standard worldwide.

This security vulnerability has been widely reported as a known issue with the WPA2 WiFi security standard itself, and is not linked to specific individual products or implementations.
 

At this time, the known effect of the vulnerability in the WPA2 protocol is that it may allow attackers within physical range of vulnerable devices or access points to possibly intercept passwords and other data presumed to be encrypted. The vulnerability at this time cannot be exploited remotely; the attacker must be within a relatively small physical distance, that also depends on the signal strength.

Like most medical device manufacturers, Philips provides products and solutions with wireless functionality, some of which utilize wireless modules that feature the WPA2 security protocol.
 

Per Philips’ Global Product Security Policy, the company’s worldwide network of product security officers are evaluating the KRACK vulnerability,and conducting analyses on its potential impact on any Philips products. At this time, Philips has not received confirmed reports of securitycompromise of company products in clinical use. However, Philips continues to investigate potential impacts of this vulnerability on products and solutions. Additionally, the company is monitoring advisories and patch releases by OS manufacturers and WiFi vendors, which are being evaluated for potential implementation in applicable Philips solutions.

In the event of confirmation of possibly affected products, Philips will notify customers and provide guidance on addressing the potential issue. Customers with questions regarding this WPA2 vulnerability should contact their local Philips service support team or regional service support.

Philips IntelliVue MX40 WLAN Patient Wearable Monitor Vulnerabilities (11-SEP-2017)

Publication Date: September 11, 2017

Update Date: September 21, 2017

 

Philips is releasing this advisory, confirming the findings of a customer submitted complaint and vulnerability report that identified two vulnerabilities in Philips’ IntelliVue MX40 Patient Worn Monitor for use with wireless local area networks (WLAN).  Philips has produced a software update that fixes one of the identified vulnerabilities (Partial Re-Association to Central Monitor) and provides mitigations for the remaining vulnerability (Wi-Fi Access Point (AP) “Blacklisting”).  In March 2017, Philips initiated a voluntary medical device correction on systems affected by this vulnerability. This was reported to appropriate competent authorities. Philips is planning to release an additional software update in 2017 to address the remaining vulnerability.
 

Philips has received no reports of incidents from clinical use that we have been able to associate with this problem. 

 

Partial Re-Association to Central Monitor [Improper Cleanup on Thrown Exception]:

 

Under specific 802.11 network conditions, a partial re-association of the MX40 Patient Worn Monitor (WLAN) to a compatible central monitoring system (Information Center”) is possible.  In this state, although the Information Center provides a visible and audible “No Data Tele” INOP alert, the MX40 WLAN itself enters telemetry mode, i.e., its screen turns off in one minute and local alarming is disabled.

 

This potential issue was addressed with an IntelliVue MX40 software update (version B.06.18) issued in March 2017 (reference FCO86201774), which has been verified in mitigating the impact of network conditions on the device, and to ensure correct operation, messaging and alarm functions.

 

Wi-Fi Access Point (AP) “Blacklisting” [Improper Handling of Exceptional Conditions]:

 

Several specific 802.11 Wi-Fi network management instructions might not de-authenticate (disconnect) the MX40 from the access point (AP) without also placing the AP on a security AP blacklist to block or prevent further use of the AP without intervention by staff.  While AP blacklisting from the MX40 is an intended security feature of MX40 in response to certain Wi-Fi management messages, several Wi-Fi messages have been identified to invoke AP blacklisting when not required and could be invoked either by environmental Wi-Fi network conditions or a crafted script.

 

This issue is mitigated by MX40 design and software update B.06.18 whereby MX40 switches into local mode with messaging and alarming on the local device and at the Central Station, thus alerting hospital staff when MX40 disconnects from the AP and disassociates from central.  While mitigated, Philips recognizes the potential gap and concern and will release an MX40 software update targeted within 2017 to correct the intended alignment between Wi-Fi management messages and security blacklisting of the AP.

 

To date, the necessary network conditions for both issues (partial re-association, AP blacklisting) have only been found during system testing by a customer and Philips.   Nonetheless, if either of the issues occurred while monitoring a patient, it could result to a delay in treatment.  Philips therefore recommends customers update to MX40 software version B.06.18.

 

Under the terms of Philips’ Responsible Disclosure Policy, Philips worked with the customer and global and U.S. government agencies and related organizations to draft and distribute an advisory concerning this potential issue.

Philips DoseWise Portal Vulnerabilities (17-AUG-2017)

Publication Date: August 17, 2017

Update Date: August 17, 2017

 

Philips has confirmed the findings of a customer submitted complaint and vulnerability report that the Philips DoseWise Portal (DWP) application (version 1.1.7.333 and 2.1.1.3069) contains security vulnerabilities of hard-coded database credentials stored in clear text (unencrypted) within backend system files behind current production security defenses.

 

Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.

 

For an attacker to use or exploit these vulnerabilities to access the underlying DWP database, elevated privileges are first required in order for an attacker to access the web application backend system files that contain the hard-coded credentials.  Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI).  Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability.

 

The Philips DoseWise Portal (DWP) is a radiation dose management solution which simplifies the collection, analysis and interpretation of patient radiation dose metrics and acquisition parameters across x-ray medical imaging devices. DoseWise Portal captures, tracks, alerts and reports on patient radiation dose to support users to perform statistical analysis of imaging equipment radiation output. This to provide quantitative trends and statistics that users may use as input in planning and tracking dose management improvement activities.  DWP is a standalone Class A software in accordance with IEC 62304, classified as a low-safety-risk medical device.

 

Philips is scheduled to release a new product version and supporting product documentation in August 2017.

  •  For all customers of DWP version 2.1.1.3069, Philips will update the DWP installation to version 2.1.2.3118.  This update will replace the authentication method and eliminate the hard-code password vulnerabilities from the DWP system.  
  • For all customers of DWP version 1.1.7.333, Philips will reconfigure the DWP installation to change and fully encrypt all stored passwords.
  • As an interim mitigation, until the update can be applied, Philips recommends that customers:

- Ensure network security best practices are implemented and

- Block Port 1433, except where a separate SQL server is used.

 

Philips has notified all customers of the identified vulnerabilities and will coordinate with customers to schedule updates. Philips encourages users to only use Philips-validated and authorized changes for the DoseWise Portal system supported by Philips’ authorized personnel or under Philips’ explicit published directions for product patches, updates, or releases.

 

Customers with questions regarding their specific DoseWise Portal installations should contact their local Philips service support team or their regional service support.

Worldwide Outbreak of Petya Malware (05-JUL-2017)

Publication Date:  July 5, 2017
Update Date:  July 5, 2017

 

ADVISORY / GENERAL GUIDANCE

 

Philips is aware the current malware campaign known as Petya (also known as NotPetya, Petna, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya or Expetr) was reported June 27th to be spreading and impacting organizations and critical infrastructure around the globe.  The malware encrypts (locks) computers and demands a payment in Bitcoins, according to information shared online by affected institutions.  Originally reported as ransomware, industry research now indicates the Petya malware to be a data “wiper” in disguise as ransomware – a form of malware that wipes or destroys access to data without the attacker having either intent or control to enable recovery of the locked files.   Most of the initial event was reported to primarily impact organizations in Ukraine.  However, new malware infections reportedly spread quickly to impact systems and infrastructure from Russia, The Netherlands, France, India, Australia, the U.S., and other countries. Affected organizations include hospitals, shipping ports, power companies, banks, and an extended list of other types of institutions. According to industry researchers, initial attack vectors were delivered via a Ukrainian company’s (M.E.doc) update service for their finance application, which is popular in Ukraine and Russia.  Once the initial compromise took hold, the malware exploited other vulnerabilities to spread over vulnerable networks by exploiting a Windows vulnerability (in SMBv1) similar to the WannaCry outbreak in May. Further information on this Windows vulnerability and the Petya outbreak can be found on the Microsoft website at “Update on Petya malware attacks”. 

 

The vulnerability to this ransomware was identified and a patch was released by Microsoft on March 14, 2017 (MS17-010) for Microsoft supported versions of Windows (including WinVista, WinServer 2008, Win7, WinServer 2008 R2, Win 8.1, WinServer 2012, Win10, WinServer 2012 R2, and WinServer 2016).  In further response specific to this ransomware outbreak, Microsoft also took extra steps to release updates for versions of Windows not under Microsoft mainstream support (including WinXP, Win8, and WinServer 2003).

 

Consistent with Philips Product Security Policy, our global network of product security officers and technical support teams are closely monitoring the situation and continue to take appropriate preventative measures. Philips will continue to work with our customer base to address this malware event and drive any product-specific or customer installation-specific preventative measures such as installation of the latest Microsoft Security Patches, Windows vulnerability containment steps, or other Philips-approved countermeasures as required on Philips products.

 

AFFECTED PRODUCTS

 

Select Philips products may be affected by the Microsoft vulnerability being exploited by the Petya malware. The potential for exploitability of any such vulnerability depends on the specific configuration and deployment environment of each product as well as adherence to the intended use of the product.

 

To date, Philips has not received any reports of Philips products or business operations being directly affected by this reported malware.     

 

Preventative measures on Philips products should be implemented in accordance with Philips authorized steps or countermeasures defined and approved by Philips. 

            Customers entitled by service-contract to use the Philips InCenter Customer Portal are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter.

 

Philips highly recommends all customers with and without service contracts contact their local service support team or regional product service support to discuss any needed guidance, services, or questions regarding their specific products or installations. Customers who require general information on Philips Product Security may contact Philips Product Security at productsecurity@philips.com.

 

PRS/RSN Note: 


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

GENERAL GUIDANCE

 

The items below are offered as general guidance, are for general consideration only, and must be reviewed in alignment with any posted Philips Service Bulletin with Philips service support to ensure all defined testing and verification processes are followed within product specification and regulatory requirements.  

 

Work with Philips services support to identify and review:

  1. Philips products that have been patched to protect against the SMB vulnerability being exploited by the Petya malware.
  2. Philips products that may still be vulnerable to impact from the Petya malware.
  3. For Philips products that are potentially vulnerable to the Petya malware, consider the following options or combination of options (where applicable and in accordance with authorized Philips service):

            -Arrange for Philips service teams to apply any available Philips-approved patches or updates to your system per standard procedures.

            -Consider implementing anti-virus access protection rules (Example:  Per McAfee Guidance https://kc.mcafee.com/corporate/index?page=content&id=KB89540&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US).

            -Consider blocking SMB and RDP ports per Microsoft guidance.

            -Consider disabling SMBv1 on our devices if authorized by Philips for your product.

 

Other General Points for Customer Awareness:

  1. Re-imaging an infected machine will likely overwrite/destroy information on that device.
  2. Making payment to ransomware is not a Philips recommendation. Reportedly, ransom payments in response to Petya infections have not resulted in restored access to a Petya infected files or systems. If payment is made in an effort to decrypt the system, then

            -Data, if and when available, should be backed up to a safe location with appropriate restoration procedures.

            -Reinstall the system applications with at least one of the recommended actions to prevent re-infection to the device.

            -Network segmentation will help prevent harm to the device as long as the SMB and RDP are not utilized and blocked.

 

SUPPORT OF MICROSOFT GENERAL RECOMMENDATIONS

 

On June 28th Microsoft posted their “Update on Petya malware attacks” which included Microsoft recommendations for Windows users to consider toward the identification, prevention, and mitigation of the risk of compromise from reported Windows vulnerabilities being exploited by Petya.  The advisory included options for users to consider for deployment of Windows security updates and other changes to system configuration as potential countermeasures. 

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips products (including Windows security updates and patches) are implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. 

 

Philips policy, the U.S. FDA post-market guidance, and other regulatory jurisdiction requirements state that all critical vulnerabilities must be assessed and mitigated.  In the case of WannaCry and Petya, a number of Philips products are deployed with default security hardening that securely mitigates the risk of WannaCry and Petya vulnerabilities due to firewall configuration, closed ports, anti-virus/whitelisting, or other security features designed into the product architectures. In those specific cases, Philips will not require Windows security patching to mitigate against WannaCry or Petya threats since those products are not assessed to be vulnerable to exploit from WannaCry or Petya when deployed and operated within specification. Likewise, the same product-by-product assessment is made by Philips relative to other countermeasures like network port blocking that may be recommended by Microsoft but might not be applicable to all Philips products or product versions.  Philips product teams therefore assess all published Windows critical vulnerabilities on a product-by-product basis routinely and document product vulnerability status into product MDS2 forms and vulnerability tables. If a product does require Microsoft security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Customers entitled by service-contract to use Philips InCenter are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter. All customers with and without service contracts are encouraged to contact their local service support team or regional product service support as needed for current information specific to their products or Philips deployed installations as information becomes available.

 

Website Advisory on Worldwide Ransomware Outbreak  (WannaCry, et. al.)

 

Publication Date:  May 26, 2017

Update Date:  May 26, 2017

Worldwide Outbreak of WannaCry Malware (15-MAY-2017)

ADVISORY / GENERAL GUIDANCE

 

Philips is aware of the current ransomware campaign known as WannaCry (also known as Ransom-WannaCry, WCry, WanaCrypt, and WanaCrypt0r) which has attacked a large number of organizations and over 300,000 victims around the world in approximately 150 countries.  The malware encrypts (locks) computers and demands a payment in Bitcoins, according to information shared online by affected institutions.  According to Microsoft, ransomware attacks have been observed to use common email phishing tactics with malicious attachments to infect devices.  Once launched, the malware can further spread to adjacent systems on a network by exploiting a Windows vulnerability (in SMBv1).  Further information on this Windows vulnerability can be found on the Microsoft website at Microsoft (MS) Customer Guidance for WannaCry Attacks.

 

The vulnerability to this ransomware was identified and a patch was released by Microsoft on March 14, 2017 (MS17-010) for Microsoft supported versions of Windows (including WinVista, WinServer 2008, Win7, WinServer 2008 R2, Win 8.1, WinServer 2012, Win10, WinServer 2012 R2, and WinServer 2016).  In further response specific to this ransomware outbreak, Microsoft also has taken extra steps to release updates for versions of Windows not under Microsoft mainstream support (including WinXP, Win8, and WinServer 2003).

 

Consistent with Philips Product Security Policy, our global network of product security officers and technical support teams are closely monitoring the situation and continue to take appropriate preventative measures.  Philips will continue to work with our customer base to address this malware event and drive any product-specific or customer installation-specific preventative measures such as installation of the latest Microsoft Security Patches, Windows vulnerability containment steps, or other Philips-approved countermeasures as required on Philips products.

 

INTENDED USE ADVISORY

 

Philips would like to advise our customers that neither use of an email client nor browsing the Internet is part of the intended use of any Philips product covered by this advisory.  Philips products that are not listening on SMB ports (137, 138, 139, 445) or RDP port (3389) are not exposed to this Windows vulnerability provided the product is deployed within Philips product specifications and used in accordance with intended use of the product. 

AFFECTED PRODUCTS

 

Select Philips products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware.  The potential for exploitability of any such vulnerability depends on the specific configuration and deployment environment of each product as well as adherence to the intended use of the product.

 

Preventative measures on Philips products currently affected by this MS Windows vulnerability (listed in the table below) should be implemented in accordance with Philips authorized steps or countermeasures defined and approved by Philips.  

 

Customers entitled by service-contract to use the Philips InCenter Customer Portal are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter.

 

Philips highly recommends all customers with and without service contracts contact their local service support team or regional product service support to discuss any needed guidance, services, or questions regarding their specific product installations. Customers who require further general information on Philips Product Security may contact Philips Product Security at productsecurity@philips.com.

                                         Philips Products

ServicesReference


IS PACS (IntelliSpace Picture Archiving and Communication System):

  • All Philips IS PACS customers are deployed on Philips managed services.  Philips has engaged all IS PACS customers in scheduling full remediation of any potential exposures to the Windows vulnerability exploited by WannaCry.

PhilipsManagedServices



ISP IX (IntelliSpace Portal Workstation IX):

Version: 6.0.2

ICAP0034

PIIC iX (IntelliVue Information Center):

  Version:  PIIC iX A/B and PIIC Classic N.01

  Version:  PIIC Classic – L, M and N.0 (Out-of-Service, End-of-Support)

 

SB86202583A

 

SB86201939A

IEM (IntelliSpace Event Management):

SB86202577A

Philips highly recommends all customers with and without service contracts contact their local service support team or regional product service support to discuss any needed guidance, services, or questions regarding their specific product installations.  Supporting documentation is posted on the Philips InCenter Customer Portal.  Customers who require further general information on Philips Product Security may contact Philips Product Security at productsecurity@philips.com.

 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

GENERAL GUIDANCE

 

The items below are offered as general guidance, are for general consideration only, and must be reviewed in alignment with any posted Philips Service Bulletin with Philips service support to ensure all defined testing and verification processes are followed within product specification and regulatory requirements.  

Work with Philips services support to identify and review:

  1. Philips products that have been patched to protect against the vulnerability being exploited by the WannaCry ransomware.
  2. Philips products that may still be vulnerable to impact from the WannaCry ransomware.
  3. For Philips products that are potentially vulnerable to the WannaCry ransomware, consider the following options or combination of options (where applicable and in accordance with authorized Philips service):

-Consider blocking SMB and RDP ports per Microsoft guidance.

-Consider disabling SMBv1 on our devices if unable to patch the systems.

-Arrange for Philips service teams to apply any available Philips-approved patches or updates to your system per standard procedures.

-Consider implementing anti-virus access protection rules (Example:  Per McAfee Guidancehttps://kc.mcafee.com/corporate/index?page=content&id=KB89335&elqTrackId=080d6d6426f34a2fb9b7fae0ca16d59a&elq=ab2a4141be0344bb8dfd6f18c91a9f26&elqaid=7257&elqat=1&elqCampaignId=4054).


Other General Points for Customer Awareness:

  1. Re-imaging an infected machine will likely overwrite/destroy information on that device.
  2. Making payment to ransomware is not a Philips recommendation.  However, if payment is made to decrypt the system, then

-Data, if and when available, should be backed up to a safe location with appropriate restoration procedures.

-Reinstall the system applications with at least one of the recommended actions to prevent re-infection to the device.

-Network segmentation will help prevent harm to the device as long as the SMB and RDP are not utilized and blocked.


References Resources:

  1. Microsoft (MS) Customer Guidance for WannaCry Attacks
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  2. US-CERT:  Indicators Associated With WannaCry Ransomware
    https://www.us-cert.gov/ncas/alerts/TA17-132A)
  3. ENISA – Europian Union Agency for Network and Information Security:  WannaCry Ransomware Outburst
    https://www.enisa.europa.eu/publications/info-notes/wannacry-ransomware-outburst


Philips is committed to ensuring robust product security resources and support for our healthcare customers, and their patients who rely on them. We continue to engage with the medical device industry, security research community, and government agencies to monitor the situation, respond accordingly, and meet ongoing healthcare cybersecurity challenges.

Philips Xper-IM vulnerability information (14 Jul 2016)

In the second quarter of 2016, Philips was contacted by security researchers regarding potential security vulnerabilities with the Philips Xper-IM Connect system. As part of our Responsible Disclosure policy and processes, Philips has been in collaboration with the security researchers investigating this issue to promptly and transparently address the identified vulnerabilities in the Xper-IM Connect system.

 

The joint analysis by Philips and the researchers determined that Xper-IM Connect systems running on unsupported Windows XP operating systems and outdated product software were vulnerable to a number of potential exploits, which if implemented, could result in a remote attacker gaining access to an affected system.

 

The Philips product security team was able to confirm that all of the reported vulnerabilities in the Xper-IM Connect system are remediated by upgrading to the minimum specification of Windows 2008 Server or the recommended specification of Windows 2008 Server R2 and then applying a new product software version (Xper-IM Connect Version 1.5 Service Pack 13). We are providing recommendations and contact information in order to help any affected customers using a potentially affected Xper-IM Connect System address the issue and correct any affected systems as rapidly as possible.

 

Both Philips and the security researchers contributed to a joint disclosure to the U.S. Department of Homeland Security’s NCCIC/ICS-CERT organization, and was the source for that body’s Medical Device Advisory concerning this issue.

 

Philips is committed to ensuring the security and integrity of our products. Philips takes this matter very seriously. While any potential or identified security vulnerabilities are a concern, at this time we are not aware of any customers or patients that have been directly affected by this issue.

Shellshock (Unix Bash shell) Vulnerability
Philips Healthcare is aware of the Unix “Shellshock” security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).
SSLv3 POODLE Vulnerability

Philips Healthcare is aware of the SSLv3 POODLE security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).

 

Philips manufactures, and helps customers maintain, highly complex medical devices and systems. Per policy, only Philips-authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips’ explicit published direction.

Heartbleed Vulnerability

Philips Healthcare is aware of the OpenSSL ‘heartbleed’ security vulnerability. The vulnerability (assigned CVE-2014-0160) impacts OpenSSL versions 1.0.1 – 1.0.1f. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. Customers will be notified once a solution is available for any affected product(s).

 

For our Remote Service solution (PRS) we have reviewed all of our customer facing interfaces and VPN connections to our customer facilities, and can confirm that these are not affected by the Heartbleed issue.

Philips Healthcare and Windows XP End of Support

As part of our continued attention to your security needs, Philips Healthcare wishes to bring to your attention that Microsoft has discontinued support for the Microsoft Windows XP Operating System, following
April 8, 2014.

 

Where feasible, Philips Healthcare has been developing solutions for products running Windows XP to address continuity of protection against known and emerging security threats and vulnerabilities.

 

To this end, Philips Healthcare will provide product-specific Statements to assist customers. Where applicable, these Product Statements may provide upgrade or field change order information.

Philips Xper-IM Vulnerabilities (21 Feb 2013)
Philips Healthcare is aware that researchers at a recent cyber-security conference in Florida presented on a security vulnerability in a system component of the Philips Xper Information Management System. This has been investigated by the responsible Philips engineering and product security experts and we expect to provide a software update within a short period of time once the software validation has been completed. Affected customers will be notified directly once this software update is available.

A related concern regarding the disclosure during the conference of service passwords used on Xper IM systems is already being addressed by a Philips Field Change Order (FCO 83000171) which is currently being distributed to all affected customers. The information provided by this FCO also contains instructions to mitigate the above network-based heap overflow vulnerability in the interim.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.