Publication Date: May 2, 2019

Update Date: June 6, 2019

 

Philips is aware of recently published findings by security researchers regarding the potential for cybersecurity vulnerabilities in medical imaging equipment and networks related to the Digital Imaging and Communications in Medicine (DICOM) standard, which is used for the exchange of medical images. The Philips global Product Security team is reviewing the published research for further analysis.

 

A number of the research study’s proposed defenses for the type of cyber-attack have long been advocated and implemented by Philips across our systems and products, including network and device environment hardening, as well as data encryption, limiting device Internet exposure and identity/password protection. Philips continues to be a strong proponent of device encryption and end-to-end encryption strategies are part of Philips’ design-for-security development and deployment of our products and systems.

 

At this time, a Philips product security analysis of imaging systems indicates limited exposure to this potential vulnerability, whether via network-based use or physical media. Philips imaging systems typically do not interpret or otherwise interact with the indicated DICOM “preamble” content, which has been identified as a possible vector for malicious code.

 

To date, the company has not received any reports of exploitation of these vulnerabilities or incidents from clinical use of Philips products that are associated with the type of attack demonstrated in published research. Additionally, Philips is not aware that the company’s devices were part of the research.

 

Philips welcomes collaboration with the security research community with regard to exploring strategies and methods to identify, address, and disclose known or potential cybersecurity threats to medical devices. Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. We are dedicated to helping our customers maintain the confidentiality, integrity, and availability of personal data, business data and the Philips hardware and software products that create and manage this data.

 

Philips operates under a global Product Security policy governing design-for-security in product and services creation, as well as risk assessment and incident response activities for vulnerabilities identified in existing products.

 

In a medical devices industry “first”, Philips has established a Security Center of Excellence (SCoE) to develop products, which are “cyber-resilient”.

 

We have also taken the lead in creating a Coordinated Vulnerability Disclosure (CVD) Policy, to collaborate with customers, security researchers, regulators and other agencies to help identify, address and disclose potential vulnerabilities in a safe and effective manner.

 

To fulfill our commitment to security, Philips maintains a global program to:

 

  • Develop, deploy, and support advanced security features for our products and services
  • Manage security events in the field. Philips participates in industry and government collaborations to help ensure product innovations and clinical information is produced and available at the highest level of quality, availability, and confidentiality.