Publication Date: March 28, 2018
Update Date: March 28, 2018
Philips is a committed leader in medical device cybersecurity. Governed by our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of potential system security vulnerabilities, Philips is proactively issuing an advisory concerning potential vulnerabilities that may affect Philips iSite and IntelliSpace PACS (Picture Archiving and Communications Systems).
Philips has confirmed that Philips iSite and IntelliSpace PACS contain security vulnerabilities that under certain specific conditions could impact or potentially compromise patient confidentiality, system integrity, and/or system availability. To remediate the risk of these identified vulnerabilities, Philips is offering customers a number of potential options to select, based on their requirements.
Philips’ analysis has shown that these issues, if fully exploited may allow attackers of low skill to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information, or potentially cause a system crash. Philips has identified that some of the affected vulnerabilities could be attacked remotely. Exploits that could target some of the vulnerabilities are known to be publicly available.
At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.
Philips IntelliSpace PACS runs in a managed service environment which adheres to ICS-CERT recommendations to minimize the risk of exploitation (Virtual Private Network, Firewall isolation from other networks, no internet access). In addition, Philips employs an automated Antivirus solution that continuously monitors and remediates threats across all systems in the managed service environment. Philips has a monthly recurring patch program which all IntelliSpace PACS users are encouraged to participate. Customers who participate in this program receive all Philips approved operating system and application patches in a timely fashion.
In addition, in 2016 Philips announced software updates and has controlling mitigations on the affected PACS systems to further limit the risk and exploitability of these vulnerabilities. The Philips iSite 3.6 platform is currently at its end of life (EoL) and end of service (EoS).
Philips recommends three paths that customers may select depending on their particular situation, which are offered by Philips at no charge for full service delivery model contracts:
- The simplest and most straightforward option is to enroll in Philips recurring patching program, this will remediate 86% of all known vulnerabilities.
- A more robust option is to enroll in Philips recurring patching program and updating system firmware. This option will remediate 87% of all known vulnerabilities including all known critical vulnerabilities.
- The most robust option by Philips is to enroll in the recurring patching program and update system firmware and upgrade to IntelliSpace PACS 4.4.55x with Windows operating system 2012, which addresses product hardening. This option remediates 99.9% of all the known vulnerabilities including all critical vulnerabilities.
Philips will continue to add cybersecurity vulnerability remediation improvements through our Secure Development Lifecycle (SDL) as threats continue.
Philips has reported these potential vulnerabilities and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific IntelliSpace PACS solutions are advised by Philips to contact their Customer Success Manager (CSM), Market Success Leader (MSL), local Philips service support team, or regional service support. Philips contact information is available at the following location: