Publication Date: 2021 June 29 

Update Date:  2021 July 6

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding potential issues related to the certain versions Philips Vue PACS (Picture Archiving and Communications System) software and related products:
 

  • Vue PACS versions 12.2.x.x and prior
  • Vue MyVue versions 12.2.x.x and prior
  • Vue Speech versions 12.2.x.x and prior
  •  Vue Motion versions 12.2.1.5 and prior
     

Philips has identified potential security vulnerabilities that under specific conditions could impact or potentially compromise patient confidentiality, system integrity, and/or system availability.  To minimize the potential risk of these vulnerabilities, Philips recommends that users upgrade to the latest Philips Vue PACS software running on Windows Operating System 2019 and enabling security patching procedures for timely security updates.
  

Philips’ analysis has shown that these issues require a range of low skill to high skill to exploit. In this event, unauthorized users may be able to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the
system, access sensitive information, or potentially cause a system crash.
 

Philips has identified that some of the affected vulnerabilities could be attacked remotely.  Exploits that could target some of the vulnerabilities are known to be publicly available.
 

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue. It is unlikely that this potential vulnerability would impact clinical use. Philips released software updates and has controlling mitigations on the affected software to limit the risk and exploitability of most of these vulnerabilities.
 

Philips has reported these potential vulnerabilities and its resolution to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Philips also sent a letter to all its customers, user with questions regarding their specific Vue PACS solutions are advised by Philips to contact their local Philips service support team.

 

Cybersecurity & Infrastructure Security Agency (CISA) Advisory: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01