Publication Date:  August 16, 2018

 

Update Date: August 16, 2018

 

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

As part of Philips’ Coordinated Vulnerability Disclosure Policy and aligned with U.S. FDA Post-Market Guidance requirements for the awareness and remediation of potential system security vulnerabilities, the company proactively issued an advisory concerning potential security vulnerabilities that may affect Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiograph systems.

 

The identified potential vulnerabilities include:

 

·         a hardcoded superuser password

 

·         lack of user-input “sanitization”

 

 

Philips has determined that a user with both physical access to a Philips PageWriter system as well as a superuser password for the device, could access and modify settings on the device as well as reset existing passwords. The user-input sanitization issue could lead to buffer overflow or format string vulnerabilities.   A high degree of skill is required to successfully exploit these issues. Exploits that could target some of the vulnerabilities are known to be publicly available.

 

At this time, Philips has received no reports of patient harm. It is unlikely that these security issues would impact clinical use due to common use and mitigations currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with these identified issues.

 

Philips analysis has shown that it is unlikely that these issues would impact clinical use, due to mitigating controls currently in place. Additionally, the PageWriter TC cardiograph system is not a life support or treatment device. The ECG record taken by PageWriter TC cardiographs must be confirmed by qualified physicians before being used for diagnostic purposes.

 

To address the identified vulnerabilities, Philips is issuing a release in 2019 that will address the password and input issues. That release will be offered on both Microsoft Windows CE7 and Windows CE5 operating systems in order to support the installed base.  Philips has reported these potential vulnerabilities and anticipated resolution to customers and the appropriate government agencies, including the U.S. Department of Homeland Security’s ICS-CERT, which has issued an advisory.

 

Users with questions regarding their specific PageWriter TC solutions are advised by Philips to contact their Customer Success Manager (CSM), Market Success Leader (MSL), local Philips service support team, or regional service support. Philips contact information is available at the following location:

 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

https://www.usa.philips.com/healthcare/about/contact

 

Please see the Philips product security web site for the latest security information for Philips products:

 

www.philips.com/productsecurity