Publication Date: August 21, 2018
Update Date: August 21, 2018
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
As part of Philips’ Coordinated Vulnerability Disclosure Policy and aligned with U.S. FDA Post-Market Guidance requirements for the awareness and remediation of potential system security vulnerabilities, the company proactively issued an advisory concerning potential security vulnerabilities that may affect Philips IntelliVue Information Center (PiiC iX) B.02 system.
Philips has confirmed that for the B.02 version of the system, Simple TCP Services is enabled, which if successfully exploited, may potentially result in a Denial of Service where the Operating System will become unresponsive during a network attack, which will affect the application’s ability to meet the intended use.
This vulnerability is exploitable remotely. However, a high skill level by an attacker is required for successful exploitation. At this time, Philips has received no reports of exploitation of this vulnerability that impacts clinical use that we have been able to associate with this problem.
Philips has identified and put in place mitigations to reduce the risk of exploitation of this vulnerability. In order for users of affected devices to mitigate exposure to these vulnerabilities, Philips recommends following the device’s labeling, including Instructions for Use and Service Guide(s), which provide compensating controls to mitigate these vulnerabilities.
To mitigate these vulnerabilities; Philips recommends users follow the labeling for the medical device (Security for Clinical Networks Guide) which provides physical and logical security instructions. Philips will be providing the remediation in the form of a patch in Q3 2018 for all PIIC iX B.02 customers.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including ICS-CERT, which is issuing an advisory.
Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. Philips has taken the lead in creating a Responsible Disclosure Policy, to collaborate with customers, security researchers, regulators and other agencies to help proactively identify, address and disclose potential vulnerabilities in a safe and effective manner.
Customers with questions regarding their specific Philips IntelliVue Information Center (PiiC iX) installations are advised by Philips to contact their local Philips service support team or their regional service support. Philips contact information is available at the following location:
Please see the Philips product security web site for the latest security information for Philips products: