Philips CT Imaging System Vulnerabilities (1-MAY-2018)
Publication Date: May 1, 2018
Update Date: October 10, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of identified product security vulnerabilities, the company is proactively issuing an advisory concerning a potential, low-risk security vulnerability that may affect the following Philips Computed Tomography (CT) imaging systems:
• Brilliance 64 version 2.6.2 and below
• Brilliance iCT versions 4.1.6 and below
• Brillance iCT SP versions 3.2.4 and below
• Brilliance CT Big Bore 2.3.5 and below
• MX8000 Dual EXP Systems (CWE-798 only)
Philips has confirmed that the potential security vulnerability, if successfully exploited, may allow an attacker to gain unauthorized access to elevated privileges and/or restricted system resources and information. This vulnerability is not exploitable remotely and cannot be exploited without user interaction, and an attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.
At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that have been associated with the vulnerability.
Philips has identified the following guidance and mitigations:
• Users should operate all Philips deployed and supported CT products within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration such as firewall operations.
• Philips also recommends customers implement a comprehensive, multi-layered strategy to protect their systems from internal and external security threats, including restricting physical access of the scanner to only authorized personnel, thus reducing the risk of physical access being compromised by an unauthorized user.
• Philips has also remediated hard-coded credential vulnerabilities for all Brilliance iCT 4.x and above versions. The Philips iCT-iPatient (v4.x) family Instructions for Use (IFU) refers to the ability to manage credentials and is accessible from Philips In.Center at https://incenter.medical.philips.com for entitled users.
• Since the MX8000 Dual EXP has been out of support since 2017, Philips recommends a replacement based on customer need.
Philips has reported this potential vulnerability and mitigations to customers and the appropriate government agencies, including ICS-CERT, which is issuing an advisory update.
Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. Philips has taken the lead in creating a Responsible Disclosure Policy, to collaborate with customers, security researchers, regulators and other agencies to help proactively identify, address and disclose potential vulnerabilities in a safe and effective manner.
Customers with questions regarding their specific Philips CT installations are advised by Philips to contact their local Philips service support team or their regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions