Publication Date: 2021 May 26 

Update Date:  2021 May 28

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  

 

Philips continues to review developments related to recently reported VMware vCenter Server and VMware Cloud Foundation critical and medium rated vulnerabilities (CVE-2021-21985 & CVE-2021-21986). According to VMware advisory VMSA-2021-0010 these VMware vCenter Server updates address remote code execution and authentication vulnerabilities.

 

Following evaluation of the reported VMWare vulnerabilities, Philips has identified a limited number of products that contain affected VMWare software. Philips analysis has determined that the majority of these products are not affected by the reported vulnerability.

 

For products potentially affected by the VMWare vulnerability, Philips has determined that if affected VMWare software is updated the most recent versions containing the security upgrade, the reported vulnerabilities are mitigated. Philips does not provide or maintain VMware for customers using these products and advises customers to assess their VMware environment to determine if a software update/upgrade is necessary.

 

Affected Philips systems are safe for continued operation consistent with their Instructions for Use.  To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips-approved product specifications.

 

Begin Update A: 2021 May 28

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running on VMware vCenter Server and VMware Cloud Foundation that could be vulnerable to CVE-2021-21985 or CVE-2021-21986. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CareEvent C.0x*
IntelliSpace PACS 4.4, 4.4.551, 4.4.553***
Patient Information Center (PIC) iX B.0x/C.0x*
Clinical Collaboration Platform (registered as VuePACS)*
IntelliSpace Portal Server and IntelliSpace Portal Enterprise*
PerformanceBridge Focal Point A.0x*
eCareManger 4.2.x/4.3.x/4.4.x/4.5.x*
IntelliSpace Portal Enterprise (Concerto) solution with hardware and VM/vSphere infrastructure supplied by Philips***,****
Pinnacle 18.x***
IntelliSite Pathology Solution
IntelliVue Guardian Software (IGS) E.0x*
RIS (formally known as Vue)*
IntelliSpace Critical Care and Anethesia (ICCA) H.02/J.01*
Multi-patient Bridge 1.0.x/2.0.x*
UDM 1.1, 2.1

*Software only product, customers may have installed these products on VMware.  For these products, Philips does not validate VMware security patches.  It is the customer responsibility to validate and deploy VMware patches.

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

****In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure. In case there is no valid service level agreement, please contact your local Philips IntelliSpace Portal representative.

 

End Update A

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.