Security Advisory
Philips Product Security Status documents have product-specific vulnerability updates and security-related information such as supported anti-virus software, OS security features, and remote service.
Each product has its own table and the products are separated by modality, i.e. Informatics, Ultrasound, Magnetic Resonance, etc. The Status Documents list known software vulnerabilities, the current status, and Recommended Customer Action.
Revised tables are posted regularly with the latest available information.
As part of our commitment to product security and customer service, Philips Healthcare supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHI.
Specifically, Philips Healthcare is using the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about its products.
The MDS² contains product specific security information such as:
The MDS², a universal reporting form which allows Philips Healthcare to supply its customers with model-specific information, is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA), and the Healthcare Information and Management Systems Society (HIMSS).
The form also contains security practice recommendations and explanatory notes from the manufacturer as well as detailed.
To register, send an e-mail to Incenter@philips.com providing the following information:
Once your request is processed, you will receive an email from GCS Helpdesk with login and passcode information.
Already registered?
Publication Date: March 24, 2020
Update Date: March 24, 2020
Overview
Philips produces and sells connected air purifier that provide healthy air to consumers. The connected air purifier can be controlled by an app, Philips has partnered with Air Matters, a world-leading air quality app. It monitors in- and outdoor air quality, offers insights, controls your Philips connected Air device, shows its filter status, and gives you advice how to manage exposure to air pollution and allergens. An independent security researcher submitted three vulnerabilities that can be mitigated regarding communications, key length and de-compilation of the mobile app.
Affected Products:
Philips reports that these vulnerabilities affect Air Matters Android version 4.2.9 and below.
Impact:
An attacker connected to an unprotected WiFi local network could compromise the encryption protocol to start and/or stop the air purifier.
An attacker connected to the WiFi local network can connect to the device. Subsequently the device can remotely be controlled. This impact is similar to downloading the Airmatters App and in a local network connect to the Airpurifier device. Which is standard behavior part of the functionality advertised to the customer.
Background
An independent security researcher reported the local network communication between the app and the Air Purifier has been reverse engineered. The three main vulnerabilities identified are 1) No use of https/tls encryption in the local network. 2) Diffie Hellman key length, and 3) de-compilation of Android mobile app. 4) through scripting from the local network a connection with the device can be setup.
These vulnerabilities do not impact confidentiality or integrity of data. The vulnerabilities could potentially impact availability.
Once notified, Philips analyzed the extent and started the containment and resolution actions.
The vulnerabilities are due to the use of a outdate chip version. This chip is not used in the production of new devices anymore. Newer versions of the device use a chip without these vulnerabilities.
Vulnerability Overview
CWE-319: Cleartext Transmission of Information
The software transmits data in cleartext in a communications channel that can be sniffed by unauthorized actors. Many communication channels can be sniffed by attackers during data transmission.
CVSS v3 base scores for this vulnerability is rated as 5.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-327: INSUFFICIENT DIFFIE HELLMAN STRENGTH
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of information.
CVSS v3 base scores for this vulnerability is rated as 4.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Through Scripting in the local network a connection with the device can be setup. Subsequently this connection can be used to control the device remote.
Existence of Exploit
Public exploits exist for some of these vulnerabilities, however, none are specifically targeted for Philips Air Purifier.
Difficulty
An attacker with medium to high skill in would be able to exploit these vulnerabilities
Mitigation
For the old infrastructure of Philips Air Purifiers products:
The improved infrastructure of new launched Air Purifiers will not have these issues anymore as they have been solved. The new products have been introduced from mid 2019 onwards.
Philips recommends consumers to use the new devices with the new infrastructure.
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: March 12, 2020
Update Date: Feb March 12, 2020
Royal Philips (NYSE: PHG, AEX: PHIA), a global leader in health technology, today announced that the company was named the first medical device manufacturer to receive a new Underwriters Laboratories (UL) product cybersecurity testing certification. Underwriters Laboratories (UL) is an independent global safety certification and testing company with locations worldwide.
The UL IEC 62304 certification was designed by Underwriters Laboratories to provide an overall framework to evaluate the robustness and maturity of a medical device manufacturer’s cybersecurity controls and capabilities for product development.
In support of the successful Philips firm registration for the security option of IEC 62304, UL performed a comprehensive audit of the Philips Security Center of Excellence. The Center was launched in 2015 to develop cyber-resilient products and services through security-by-design, risk assessment, vulnerability and penetration assessment, specialized trainings, and incident response.
The audit reviewed and verified core Philips Security Center of Excellence product security processes, including security risk management and risk control measures, software security verification planning, change management and continuous improvement, and the Center’s laboratory quality management system.
The UL certification combines cybersecurity testing elements of the established UL 2900-2-1 standard for Software Cybersecurity for Network-Connectable Products, which focuses on the demanding requirements of healthcare and wellness systems, as well as security principles from international standards (ISO 13485 and ISO 14971).
The detailed press release can be found: http://www.newscenter.philips.com/us_en
Publication Date: February 20, 2020
Update Date: April 20, 2020
Philips is currently monitoring developments and updates related to the recent Bluetooth Low Energy (BLE) alert concerning the reported SweynTooth, a family of 12 vulnerabilities (CVE-2019-16336, CVE-2019-17519, CVE-2019-17517, CVE-2019-17518, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196, CVE-2019-17061, CVE-2019-17060, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194 ).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Bluetooth Low Energy (BLE) for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
According to Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Seminconductor, successful exploitation of these vulnerabilities allows an attacker in radio range to trigger deadlocks, crashes, and buffer overflows or completely bypass security depending on the circumstances.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update A: April 20, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to SweynTooth. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Diamond Clean Smart connected power toothbrush (codes start with HX99) | Flexcare Platinum Connected power toothbrush (codes start with HX91) | Saeco Gran Baristo Avanti – Espresso Machine Models |
| Diamond Clean 9000 connected power toothbrush (codes start with HX99) | Philips Connected Shaver 7000 (S77xx & S79xx) | |
| Expert Clean power connected toothbrush (HX96) | Sonicare - Kids connected power toothbrush (codes start with HX63) | |
Publication Date: January 16, 2020
Update Date: February 4, 2020
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Curve Ball or NSA Crypt or CryptoAPI spoofing vulnerability (CVE-2020-0601).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update B: February 4, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR) | Forcare Suite* | IntelliSpace Portal Workstation* |
| CareEvent* | Holter Recorder DigiTrak XT (CTXT)* | IntelliVue Guardian Software |
| CompuRecord G.01* | Illumeo 2.0* | IntraSight |
| Diagnostics Site Server (DSS) | Ingenia (Upgrade to R5 & Factory R5) | MobileDiagnost wDR |
| DigitalDiagnost C90 | Intellibridge Enterprise (IBE)* | Multiva/Prodiva |
| DoseWise Portal | IntelliSpace Cardiovascular (ISCV)* | PIC iX* |
| EchoNavigator | IntelliSpace Console Critical Care (ISCCC) | ST80i A.02 |
| eICU eCare Manager | IntelliSphere Critical Care and Anesthesia (ICCA)*,** | VSS Dashboard* |
| FocalPoint A.0/A.01* | IntelliSpace ECG Management System B.00 (IECG) | Xper IM* |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Begin Update A: January 21, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR) | Corsuim | Diagnostics Site Server (DSS) |
| DigitalDiagnost C90 | EchoNavigator | Holter Recorder DigiTrak XT (CTXT) |
| Illumeo 2.0 | Ingenia (upgrade to R5 and Factory R5) | IntelliSpace Connect |
| IntelliSpace Discovery 2.0 | IntelliSpace ECG Management System B.00 (IECG) | IntelliSpace Portal SErver |
| IntelliSpace Portal Workstation | MobileDiagnost wDR | Multiva/Prodiva |
| ST80i A.02 | | |
Publication Date: January 15, 2020
Update Date: April 20, 2010
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Windows RD Gateway and Windows Remote Desktop Client vulnerabilities (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update C: April 20, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR) | Epiq | Multiva |
| Affiniti | FlexCardio | Multiva/Prodiva |
| Allura (Centron, Clarity, Xper) | FocalPoint A.0/A.01 | PIC iX* |
| Azurion | Holter Recorder DigiTrak XT (DTXT)* | PIIC Classic |
| CareEvent* | Illumeo 2.0 | Prograde |
| ClearVue | Ingenia (upgrade to R5 & Factory R5) | ProxiDiagnost N90 |
| CombiDiagnost R90 | Intelibridge Enterprise (IBE)* | Sparq |
| CompuRecord (F.02, G.00, G.01)* | IntelliSpace Breast | SPhAERA (3.x & 4.x) |
| Core M2 | IntelliSpace Cardiovascular (ISCV)* | ST80i A.02* |
| Coronary Tools | IntelliSpace Console Critical Care (ISCCC) | SyncVision |
| CX50/30 | IntelliSpace Discovery 2.0 | UDM |
| Diagnostics Site Server (DSS) | IntelliSpace ECG Management System B.00 (IECG)* | ViewForum |
| DigitalDiagnost (C50, C90, Opta C50) | IntelliSpace Perinatal (ISP)* | Volcano Core Imaging System |
| DoseWise Portal* | IntelliSpace Portal (Server & Workstation) | Volcano Core Mobile Imaging System |
| DR Compact | IntelliVue Guardian Software* | VSS Dashboard* |
| DuraDiagnost (Compact and F30) | ISP Anywhere | Xcelera 4.1* |
| EasyDiagnost | ISP VL Caputre 1.1 Visible Light | XIRIS 8.3 |
| EchoNavigator | Juno DRF (5.7) | Xper IM* |
| eICU Care Manager | MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U)) | XtraVision |
| EP Navigator | MobileDiagnost (M50, Opta, and wDR) | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
End Update C
Begin Update B: February 4, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR) | Epiq | Multiva |
| Affiniti | FlexCardio | Multiva/Prodiva |
| Allura (Centron, Clarity, Xper) | FocalPoint A.0/A.01 | PIC iX* |
| Azurion | Holter Recorder DigiTrak XT (DTXT)* | PIIC Classic |
| CareEvent* | Illumeo 2.0 | Prograde |
| ClearVue | Ingenia (upgrade to R5 & Factory R5) | ProxiDiagnost N90 |
| CombiDiagnost R90 | Intelibridge Enterprise (IBE)* | Sparq |
| CompuRecord (F.02, G.00, G.01)* | IntelliSpace Breast | SPhAERA (3.0 to 3.5, 3.6 & greater) |
| Core M2 | IntelliSpace Cardiovascular (ISCV)* | ST80i A.02* |
| Coronary Tools | IntelliSpace Console Critical Care (ISCCC) | SyncVision |
| CX50/30 | IntelliSpace Discovery 2.0 | UDM |
| Diagnostics Site Server (DSS) | IntelliSpace ECG Management System B.00 (IECG)* | ViewForum |
| DigitalDiagnost (C50, C90, Opta C50) | IntelliSpace Perinatal (ISP)* | Volcano Core Imaging System |
| DoseWise Portal* | IntelliSpace Portal (Server & Workstation) | Volcano Core Mobile Imaging System |
| DR Compact | IntelliVue Guardian Software* | VSS Dashboard* |
| DuraDiagnost (Compact and F30) | ISP Anywhere | Xcelera 4.1* |
| EasyDiagnost | ISP VL Caputre 1.1 Visible Light | XIRIS 8.3 |
| EchoNavigator | Juno DRF (5.7) | Xper IM* |
| eICU Care Manager | MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U)) | XtraVision |
| EP Navigator | MobileDiagnost (M50, Opta, and wDR) | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
End Update B
Begin Update A: January 21, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Access CT (6 & 16 Slice) | Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR) | Brilliance (Big Bore Radiology, CT 64, CT Big Bore, iCT, iCT SP) |
| CombiDiagnost R90 | Corsium | CT MX16 EV02 |
| Diagnostics Site Server (DSS) | DigitalDiagnost (C50, C90, Opta C50) | DR Compact |
| DuraDiagnost (Compact and F30) | EasyDiagnost | Holter Recorder DigiTrak XT (DTXT) |
| Ingenia (upgrade to R5 & Factory R5) | Ingenuity (Core, Core 128, Core128/Elite China, CT, CT Brazil, TF PET/CT, TF PET/CT RoHS systems) | IntelliSpace Breast |
| IntelliSpace Connect Release 1.0 | IntelliSpace ECG Management System B.00 (IECG) | IQon Spectral CT |
| Juno DRF | MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U)) | MobileDiagnost (M50, Opta and wDR) |
| Multiva | Multiva/Prodiva | Prograde |
| ProxiDiagnost N90 | SPhAERA (3.x & 4.x) | ST80i A.02 |
| Vereos | | |
**Information or patch available in Incenter
End Update A
Publication Date: January 14, 2020
Update Date: January 14, 2020
Philips is aware that Microsoft is ending Extended Support for the Windows 7 and Windows Server 2008 R2 operating systems on January 14, 2020.
As part of Philips product lifecycle management processes, product security policy, and associated protocols, and in anticipation of the expiration of Microsoft’s Extended Support period for Windows 7 and Windows Server 2008 R2, Philips has been evaluating Philips products and solutions that utilize these operating systems.
Philips is currently working to provide information regarding expiration of Microsoft extended support for Windows 7 and Windows Server 2008 as related to Philips products and solutions together with guidance to attain any further required product-specific information in support of any Philips products or solutions that use these Microsoft operating systems.
Philips products and solutions must be deployed and operated within Philips-approved product specifications as noted in their Instructions for Use. Also, as required by government regulations in the markets we operate in, all changes of configuration or software to Philips’ products or solutions (including operating system security updates and patches) may be implemented only by following Philips product-specific, verified and validated, authorized, and communicated customer procedures or field actions.
Contract-entitled customers and service representatives may access product-specific service documentation produced by
Philips product teams and made available to Philips product service support and/or service delivery platforms
such as Philips InCenter (https://incenter.medical.philips.com). Entitled customers are encouraged to request Philips InCenter access and reference product-specific information when posted. Customers are also encouraged to contact their local service support team or regional product service support for information specific to their Philips’ products or environments.
Philips is providing the list below in order to assist our customers in identifying Philips’ products and solutions running on Microsoft Windows 7 or Windows Server 2008 R2. However, the list below is not exhaustive for all affected Philips products, and it includes:
| Access CT 6/16 – 2.x | Brilliance Big Bore / 4.2 | Brilliance iCT/4.x, iCT SP/4.x, 64/4.x |
| CareEvent * | CompuRecord * | Core Imaging S5 3.5, M2 4.2, |
| Diagnostic Site Server (DSS) | DynaCAD Breast and Prostate | DynaSuite Neuro 3 |
| eCareManager * | eICU * | G3 Alice6 * |
| HCIS RIS 2010 10.x Clients | HCIS Vue PACS 11.3, Vue PACS 11.4 * | HCIS Vue RIS 11.0.12.x, |
| HeartStart Configure 3.1 * | HeartStart Data Messenger 4.3.1 * | HeartStart Event Review 3.x, 4.x *,**** |
| HeartStart Event Review Pro 5.0 * | IBE * | IEM v11.0x * |
| Incisive CT/1.0 | Ingenuity CT / 4.x, Core, Core 128 | Ingenuity TF/4.0.x |
| IntelliSpace Critical Care and Anesthesia (ICCA) * | IntelliSpace ECG Management System B.00 (IECG) * | IntelliSpace ECG Management System B.00 (IECG) * |
| IntelliSpace PACS 4.4 | IntelliSpace Perinatal * | IntelliVue Guardian Software * |
| ISCV 1.x, 2.x, 3.x, 4.x * | ISP Anywhere 1.3 | ISP6/7/8 |
| Mobile 3.5 | MX 16/2.x | Oncad |
| PIIC iX, PIIC Classic * | Respironics Actiware * | SensaVue HD and fMRI |
| Sleepware G3 * | SPhAERA (3.0 to 3.5) **** | ST80i A.02 * |
| Syncvision 4.2 | Tempus ReachBak i2i * | UDM 1.1, 2.1 |
| Vereos/2.0.x | Viewforum for Fixed Systems V6.3V1L9 | Viewforum for Mobile Systems V6.3V1L7, V6.3V1L8 |
| Vue RIS 11.0.14.x | Xcelera 4.1 * | XIRIS 8.3 |
| Xper Flex Cardio | Xper IM 1.5, 2.x * | |
Information available from Philips InCenter, local service support, or regional product service support.
* Software only products with customer owned Operating Systems
**** End of Life (EoL)
If customers still have questions, all customers are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products or solutions.
Publication Date: December 19, 2019
Update Date: December 19, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding specific Philips Veradius Unity (718132) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 2016 and August 2018. In addition, Pulsera (718095), and Endura (718075) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 26 June 2017 and 07 August 2018.
Philips has become aware that affected routers may have inadequate encryption strength, which may allow an unauthorized user to compromise the router management interface.
Data confidentiality is protected by internal system design preventing exploitation of the Dual WAN router vulnerability. Even if the Dual Wan Router vulnerability is exploited there is no possible access to patient data or interference with usage of the system. Thus, the medical device is safe to use and has no security risk.
Philips has a solution available for customers who have the wireless or ViewForum option in their product to update the configuration of the Dual WAN router.
To contact their local Philips service support team, or regional service support, Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS CISA, which is issuing an advisory.
Publication Date: November 14, 2019
Update Date: December 12, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge EC40 and EC80 Hub.
Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data. No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.
Philips plans a new release to remediate this issue by the end of Q3 2020. Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.
Users with questions regarding their specific Philips IntelliBridge EC40/EC80 Hub installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-19-318-01
Publication Date: October 24, 2019
Update Date: October 24, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliSpace Perinatal obstetrics information system.
Philips has become aware that for Versions K and prior of the Philips IntelliSpace Perinatal system, a potential vulnerability may allow an unauthorized user access to system resources. This could impact confidentiality and integrity of the system and application. To exploit this issue, an attacker would require physical access to a locked application screen, or a remote desktop session host application.
Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue. Philips is providing customers with a detailed update to Philips IntelliSpace Perinatal documentation to provide clear guidance on recommended mitigations for this issue. This documentation is available to customers on Philips InCenter. Philips will be further assessing potential mitigations in the next minor product update, which is planned for the end of 2020.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.
Users with questions regarding their specific Philips IntelliSpace Perinatal installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: September 12, 2019
Update Date: September 12, 2019
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding Versions A and B of the Philips IntelliVue Wireless Local Area Network (WLAN) module available in specific Philips IntelliVue Patient Monitors.
Philips has become aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device’s local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear.
At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem, or evidence of patient identifiers compromised.
To address this issue, Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. Regarding other versions, WLAN Version A will be addressed via software patch from Philips estimated to be available in Incenter by the end of 2019. The Philips WLAN Version B is obsolete. Wireless network access should be controlled by authentication and authorization (e.g. WPA2), which are supported by Philips. Additional mitigations include implementing a firewall rule on the customer wireless network, and further controls on physical access to the system.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their Philips IntelliVue WLAN Module software are advised by Philips to contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: August 29, 2019
Update Date: August 29, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips HDI 4000 Ultrasound system. This system was discontinued in 2006, and product support ceased in 2013.
Philips has become aware that if the Philips HDI 4000 Ultrasound system is running on outdated, unsupported operating systems, such as Windows 2000, an unauthorized user may be able to access ultrasound images or compromise image integrity.
Philips has not received any reports of exploitation of these vulnerabilities or of incidents from clinical use that we have been able to associate with this problem. This issue does not affect patient safety, system operations, or availability.
Philips recommends as mitigation that users implement controls to limit access to the network and consider replacing the system with a newer technology and supported operating system.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips HDI 4000 Ultrasound system installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity
Publication Date: August 15, 2019
Update Date: April 20, 2019
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability named DejaBlue (CVE-2019-1181 and CVE-2019-1182).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update C: April 20, 2020
| Affiniti (30,50,70) | IE33 | Juno DRF(5.7) |
| Analytics 1.1 | IEM v11.01-v11.04** | MicroDose SI (L50) (9.0 P1,P2,P3) |
| ClearVue | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI U (L50 U)(9.0 P1,P2,P3) |
| CX50/30 | IntelliSpace Cardiovascular (ISCV 1.x - 3.x))* | Sparq |
| Diagnostic Site Server (DSS) | IntelliSpace PACS 4.4 | SPhAERA`(3.6 & up) |
| Efficia Central - SureSigns Monitor / CMS200(C.01)** | IntelliSpace PACS 4.4.55x | UDM(1.1, 2.1) |
| Envisor | IntelliSpace Portal Server(7,8,9)** | VISIQ |
| Epiq (5/7) | IntelliSpace Portal Workstation(7,8,9,10)** | Xcelera 4.1 |
| FocalPoint (A.0/A.01)** | ISP Anywhere(1.3) | XIRIS (8.1, 8.3) |
| IBE (B.02 - B.09)*,** | ISP VL Caputre 1.1 Visible Light | Xper IM(1.5, 2.x) |
| IU22 | | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
End Update C
Begin Update B: December 13, 2019
| Affiniti (30,50,70) | IE33 | Juno DRF(5.7) |
| Analytics 1.1 | IEM v11.01-v11.04** | MicroDose SI (L50) (9.0 P1,P2,P3) |
| ClearVue | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI U (L50 U)(9.0 P1,P2,P3) |
| CX50/30 | IntelliSpace Cardiovascular (ISCV 1.x - 3.x))* | Sparq |
| DSS | IntelliSpace PACS 4.4 | SPhAERA`(3.6 & up) |
| Efficia Central - SureSigns Monitor / CMS200(C.01)** | IntelliSpace PACS 4.4.55x | UDM(1.1, 2.1) |
| Envisor | IntelliSpace Portal Server(7,8,9)** | VISIQ |
| Epiq (5/7) | IntelliSpace Portal Workstation(7,8,9,10)** | Xcelera 4.1 |
| FocalPoint (A.0/A.01)** | ISP Anywhere(1.3) | XIRIS (8.1, 8.3) |
| IBE (B.02 - B.09)*,** | ISP VL Caputre 1.1 Visible Light | Xper IM(1.5, 2.x) |
| IDM | IU22 | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note: For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
End Update B
Publication Date: August 1, 2019
Update Date: December 11, 2019
Security researchers at Armis have disclosed 11 different zero-day vulnerabilities within Wind River’s VxWorks, a real-time operating system used in over 2 billion embedded systems that include medical devices, routers, VOIP phones and mission-critical infrastructure equipment. The collection of vulnerabilities, which Armis refers to as "Urgent/11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, six are deemed critical. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is currently monitoring developments and updates related to the recent published advisory (ICSA-19-211-01) concerning the reported 11 CVEs as referred to as Urgent/11. In the advisory, there are several versions of VxWorks listed as not vulnerable, which Philips has taken into consideration for product evaluation and analysis.
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing VxWorks for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. VxWorks has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update E: December 11, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva and Achieva 3.0T (R5.3, R5.4 and higher)*** | HDI 3500 **** | Multiva/Prodiva (R5.4)*** |
| BrightView SPECT(1.x)*** | HDI 3000 **** | Smart-hopping Access Point Controller (for MX40 and Telemetry products)** |
| BrightView X(2.x)*** | Ingenia (R4, R5.3, R5.4 and higher)*** | Zenition** |
| BrightView XCT(2.x)*** | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | |
| GEOPC (Component of Allura & Azurion) *** | Multiva (R5.3, R5.4)*** | |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update E
Begin Update D: September 11, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva and Achieva 3.0T (R5.3, R5.4 and higher)*** | GEOPC (Component of Allura & Azurion) *** | HDI 3000 **** |
| HDI 3500 **** | Ingenia (R4, R5.3, R5.4 and higher)*** | Multiva (R5.3, R5.4)*** |
| Smart-hopping Access Point Controller (for MX40 and Telemetry products)** | Multiva/Prodiva (R5.4)*** | Zenition** |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update D
Begin Update C: August 15, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Achieva and Achieva 3.0T (R5.3, R5.4 and higher)*** | GEOPC (Component of Allura & Azurion) *** | HDI 3000 **** |
| HDI 3500 **** | Ingenia (R4, R5.3, R5.4 and higher)*** | Multiva (R5.3, R5.4)*** |
| Smart-hopping Access Point Controller (for MX40 and Telemetry products) | Multiva/Prodiva (R5.4)*** | Zenition** |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update C
Begin Update B: August 8, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
Update B supersedes products listed in Update A as they were determined to be running non-vulnerable versions of VxWorks.
| GEOPC (Component of Allura & Azurion) *** | HDI 3000 **** | HDI 3500 **** |
| Smart-hopping Access Point Controller (for MX40 and Telemetry products) | Zenition** | |
**Information or patch available in Incenter
*** Vulnerability is TCP/IP related and these are not network connected
**** End of Life (EoL)
End Update B
Begin Update A: August 2, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
<Reference table in Update B>
**Information or patch available in Incenter
End Update A
Publication Date: July 11, 2019
Update Date: July 11, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Holter 2010 Plus electrocardiogram (EKG) software.
Philips has become aware that under certain specific conditions, an unauthorized user with high skill level may potentially be able to access software options not purchased by the customer. The threat if exploited could lead to the enablement of system options not purchased. It does not impact patient safety, patient data integrity or confidentiality or system operations.
Philips recommends users implement role-based access controls to control physical access to the system. Further controls are provided by the multiple components required to exploit the vulnerability.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips Holter 2010 Plus software installation are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions.
Publication Date: May 15, 2019
Update Date: April 20, 2019
Begin Update G: April 20, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Analytics 1.1 | IntelliSpace ECG Management System B.00 (IECG)*, ** | Oncad |
| CompuRecord (F.02, G.00, and G.01)* | IntelliSpace PACS (4.4, 4.4.551, 4.4.553)*** | PIIC Classic (L, M, N, N.01)** |
| Diagnostics Site Server (DSS) | IntelliSpace Perinatal Revision (H, J, K)*,** | PIIC iX (A.0, B.0, B.02)** |
| DynaCAD Breast and Prostate* | IntelliSpace Portal (ISP) Server& Workstation** | SensaVue HD & FMRI |
| DynaSuite Neuro 3* | IntelliVue Guardian Software*,** | ST80i A.02*,** |
| Efficia Central - SureSigns Monitor / CMS200 | Invivo Esys | UDM (v1.1, 2.1)*** |
| eICU*,** | ISEE** | UroNav (1.x/2.x) |
| Extended Brilliance Workspace (EBW)** | ISP Anywhere (v1.3) | Xcelera 4.1* |
| Forcare suite* | ISP VL Caputre 1.1 Visible Light (v1.1) | XIRIS (8.2, 8.3) |
| Holter Recorder DigiTrak XT (DTXT) * | Juno DRF (5.0-.6, 5.7)** | Xper IM*,** |
| IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | Lung Cancer Screening Solution* | XIRIS (8.2, 8.3) |
| ICCA (F, G)*,** | MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)** | Xper IM*,** |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)** | |
| IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)** | |
| Intellispace Cardiovascular (ISCV)*,**** | MR** Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3 | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
***Philips hosting business validated and deployed the patch to the managed infrastructure
****Patch is tested and can be installed via the windows update mechanism
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
End Update G
Begin Update F: December 10, 2019
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Analytics 1.1 | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)** |
| CompuRecord (F.02, G.00, and G.01)* | Intellispace Cardiovascular (ISCV)*,**** | MR** Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3 |
| Diagnostics Authoring Workspot (DAW)** | IntelliSpace ECG Management System B.00 (IECG)*, ** | Oncad |
| Diagnostics Site Server (DSS) | IntelliSpace PACS (4.4, 4.4.551, 4.4.553)*** | PIIC Classic (L, M, N, N.01)** |
| DynaCAD Breast and Prostate* | IntelliSpace Perinatal Revision (H, J, K)*,** | PIIC iX (A.0, B.0, B.02)** |
| DynaSuite Neuro 3* | IntelliSpace Portal (ISP) Server& Workstation** | SensaVue HD & FMRI |
| Efficia Central - SureSigns Monitor / CMS200 | IntelliVue Guardian Software*,** | ST80i A.02*,** |
| eICU*,** | Invivo Esys | UDM (v1.1, 2.1)*** |
| Extended Brilliance Workspace (EBW)** | ISEE** | UroNav (1.x/2.x) |
| Forcare suite* | ISP Anywhere (v1.3) | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | ISP VL Caputre 1.1 Visible Light (v1.1) | XIRIS (8.2, 8.3) |
| IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | Juno DRF (5.0-.6, 5.7)** | Xper IM*,** |
| ICCA (F, G)*,** | Lung Cancer Screening Solution* | |
| IDM | MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)** | |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)** | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
***Philips hosting business validated and deployed the patch to the managed infrastructure
****Patch is tested and can be installed via the windows update mechanism
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| Analytics 1.1 | IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2) | MicroDose SI L50 (9.0 P1, P2, P3, P4, P5) |
| CompuRecord (F.02, G.00, and G.01)* | Intellispace Cardiovascular (ISCV)* | MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5) |
| Diagnostics Authoring Workspot (DAW)** | IntelliSpace ECG Management System B.00 (IECG)*, ** | MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3 |
| Diagnostics Site Server (DSS) | IntelliSpace PACS (4.4, 4.4.551, 4.4.553) | PIIC Classic (L, M, N, N.01)** |
| Efficia Central - SureSigns Monitor / CMS200 | IntelliSpace Perinatal Revision (H, J, K)*,** | PIIC iX (A.0, B.0, B.02)** |
| eICU*,** | IntelliSpace Portal (ISP) Server& Workstation** | ST80i A.02*,** |
| Extended Brilliance Workspace (EBW)** | IntelliVue Guardian Software* | UDM (v1.1, 2.1) |
| Forcare suite* | ISEE | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | ISP Anywhere (v1.3) | XIRIS (8.2, 8.3) |
| IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | ISP VL Caputre 1.1 Visible Light (v1.1) | Xper IM* |
| ICCA (F, G)** | Juno DRF (5.0-.6, 5.7) | |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3) | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01)* | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | IntelliSpace Portal (ISP) Server& Workstation** |
| Diagnostics Authoring Workspot (DAW)** | ICCA (F, G)** | IntelliVue Guardian Software* |
| Efficia Central - SureSigns Monitor / CMS200 | IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3 |
| eICU*,** | IntelliSpace Breast | PIIC Classic (L, M, N, N.01)** PIIC iX (A.0, B.0, B.02)** |
| Extended Brilliance Workspace (EBW)** | Intellispace Cardiovascular (ISCV)* | ST80i A.02*,** |
| Forcare suite* | IntelliSpace ECG Management System B.00 (IECG)*, ** | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | IntelliSpace Perinatal Revision (H, J, K)*,** | Xper IM* |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01)* | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | IntelliSpace Portal (ISP) Server& Workstation** |
| DAW** | ICCA (F, G)** | IntelliVue Guardian Software* |
| Efficia Central - SureSigns Monitor / CMS200 | IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3 |
| eICU* | IntelliSpace Breast | PIIC Classic (L, M, N, N.01) |
| Extended Brilliance Workspace (EBW)** | Intellispace Cardiovascular (ISCV)* | ST80i A.02 |
| Forcare suite* | IntelliSpace ECG Management System B.00 (IECG)* | Xcelera 4.1* |
| Holter Recorder DigiTrak XT (DTXT) * | IntelliSpace Perinatal Revision (F, J.x)* | Xper IM* |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01)* | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10)** | IntelliSpace Portal (ISP) Server& Workstation** |
| DAW** | ICCA (F, G)** | IntelliVue Guardian Software* |
| Efficia Central - SureSigns Monitor / CMS200 | IEM (v11.00, v11.01, v11.02, v11.03, v11.04)** | PIIC Classic (L, M, N, N.01) |
| eICU* | IntelliSpace Breast | ST80i A.02 |
| Extended Brilliance Workspace (EBW)** | Intellispace Cardiovascular (ISCV)* | Xcelera 4.1* |
| Forcare suite* | IntelliSpace ECG Management System B.00 (IECG)* | Xper IM* |
| Holter Recorder DigiTrak XT (DTXT) * | IntelliSpace Perinatal Revision (F, J.x)* | |
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running Windows XP, Windows 7, Windows 2003 and Windows 2008. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
| CompuRecord (F.02, G.00, and G.01) | Efficia Central - SureSigns Monitor / CMS200 | eICU |
| Holter Recorder DigiTrak XT (DTXT) | IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09, B.10) | ICCA (F, G) |
| IEM (v11.00, v11.01, v11.02, v11.03, v11.04) | IntelliSpace ECG Management System B.00 (IECG) | IntelliSpace Perinatal Revision (F, J.x) |
| IntelliVue Guardian Software | ST80i A.02 | |
Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.
Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.
Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Publication Date: May 2, 2019
Update Date: June 6, 2019
Philips is aware of recently published findings by security researchers regarding the potential for cybersecurity vulnerabilities in medical imaging equipment and networks related to the Digital Imaging and Communications in Medicine (DICOM) standard, which is used for the exchange of medical images. The Philips global Product Security team is reviewing the published research for further analysis.
A number of the research study’s proposed defenses for the type of cyber-attack have long been advocated and implemented by Philips across our systems and products, including network and device environment hardening, as well as data encryption, limiting device Internet exposure and identity/password protection. Philips continues to be a strong proponent of device encryption and end-to-end encryption strategies are part of Philips’ design-for-security development and deployment of our products and systems.
At this time, a Philips product security analysis of imaging systems indicates limited exposure to this potential vulnerability, whether via network-based use or physical media. Philips imaging systems typically do not interpret or otherwise interact with the indicated DICOM “preamble” content, which has been identified as a possible vector for malicious code.
To date, the company has not received any reports of exploitation of these vulnerabilities or incidents from clinical use of Philips products that are associated with the type of attack demonstrated in published research. Additionally, Philips is not aware that the company’s devices were part of the research.
Philips welcomes collaboration with the security research community with regard to exploring strategies and methods to identify, address, and disclose known or potential cybersecurity threats to medical devices. Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. We are dedicated to helping our customers maintain the confidentiality, integrity, and availability of personal data, business data and the Philips hardware and software products that create and manage this data.
Philips operates under a global Product Security policy governing design-for-security in product and services creation, as well as risk assessment and incident response activities for vulnerabilities identified in existing products.
In a medical devices industry “first”, Philips has established a Security Center of Excellence (SCoE) to develop products, which are “cyber-resilient”.
We have also taken the lead in creating a Coordinated Vulnerability Disclosure (CVD) Policy, to collaborate with customers, security researchers, regulators and other agencies to help identify, address and disclose potential vulnerabilities in a safe and effective manner.
To fulfill our commitment to security, Philips maintains a global program to:
Publication Date: April 30, 2019
Update Date: November 7, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips TASY EMR system Version 3.02.1744 and earlier (possible cross-scripting issue) and the Philips TASY Web Portal Version 3.02 1757 and earlier (possible information exposure issue).
This is an update to the April 2019 Coordinated Vulnerability Disclosure by Philips regarding this software, to add the TASY Web Portal issue.
Philips has become aware that these potential issues may allow an attacker with low skill to compromise patient confidentiality, system integrity, and/or system availability. Some of the affected vulnerabilities could be attacked remotely.
At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.
Philips advises customers to follow manufacturer instructions in the system configuration manual and not provide Internet access to the system without a Virtual Private Network (VPN). Customers are also advised to be on the last three (3) released versions, following the system software release schedule, and also upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Customers running the application on premise are alerted via release notes on changes to the system.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips TASY EMR system are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Publication Date: February 14, 2019
Update Date: February 14, 2019
Philips is currently monitoring updates related to the recent advisory by National Institute of Standards and Technology (NIST) regarding a flaw in runc, Docker and Kubernetes’ container runtime. (See Advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-5736.) RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It is an open-source command-line tool for spawning and running containers.
As part of Philips’ product security policy and protocols, Health Suite Digital Platform (HSDP) is aware of the recently disclosed security issue that affects several open-source container management systems (CVE-2019-5736). HSDP Operations reviewed the security bulletin and determined that the Cloud Foundry and container-host service environments are not vulnerable due to user namespaces being strictly enforced. No action is required by clients to address this security issue. At this time, Philips has not received reports of these vulnerabilities affecting clinical use of company products.
Philips advises customers with product concerns relating to these vulnerabilities should send an email to productsecurity@philips.com. Further information regarding Philips’ recommendations regarding this event may be found at the Philips product security web site: https://www.philips.com/productsecurity
Customers with questions regarding their specific products are advised to contact their local Philips service support team or their regional service support. Philips contact information is available at the following web page: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
