Publication Date: September 12, 2019
Update Date: September 12, 2019
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding Versions A and B of the Philips IntelliVue Wireless Local Area Network (WLAN) module available in specific Philips IntelliVue Patient Monitors.
Philips has become aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device’s local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear.
At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem, or evidence of patient identifiers compromised.
To address this issue, Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. Regarding other versions, WLAN Version A will be addressed via software patch from Philips estimated to be available in Incenter by the end of 2019. The Philips WLAN Version B is obsolete. Wireless network access should be controlled by authentication and authorization (e.g. WPA2), which are supported by Philips. Additional mitigations include implementing a firewall rule on the customer wireless network, and further controls on physical access to the system.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their Philips IntelliVue WLAN Module software are advised by Philips to contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity