Publication Date: November 8, 2018
Update Date: November 8, 2018
Philips is a committed leader in medical device cybersecurity. Governed by our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
As part of Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of potential system security vulnerabilities, Philips is proactively issuing an advisory concerning potential vulnerabilities that may affect Philips iSite and IntelliSpace PACS (Picture Archiving and Communications Systems).
Philips has confirmed that Philips iSite and IntelliSpace PACS contain security vulnerabilities that under certain specific conditions could impact or potentially compromise patient confidentiality, system integrity, and/or system availability. These vulnerabilities are not exploitable over the Internet.
As an interim mitigation for this potential issue, Philips recommends that users:
• Ensure only customer-authorized personnel can connect to the customer controlled network environment.
• Review Instructions for Use guidelines available with the application interface and follow the security best practices.
Philips can work with customers to provide assistance with resetting system passwords, or customers may request a Compute Environment (CE) release to address this issue.
At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.
Philips IntelliSpace PACS runs in a managed service environment which adheres to ICS-CERT recommendations to minimize the risk of exploitation (Virtual Private Network, Firewall isolation from other networks, no internet access). In addition, Philips employs an automated Antivirus solution that continuously monitors and remediates threats across all systems in the managed service environment. Philips has a monthly recurring patch program which all IntelliSpace PACS users are encouraged to participate. Customers who participate in this program receive all Philips approved operating system and application patches in a timely fashion.
Philips will continue to add cybersecurity vulnerability remediation improvements through our Secure Development Lifecycle (SDL) as threats continue.
Philips has reported these potential vulnerabilities and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific IntelliSpace PACS solutions are advised by Philips to contact their Customer Success Manager (CSM), Market Success Leader (MSL), local Philips service support team, or regional service support. Philips contact information is available at the following location: Customer Service Solutions