Publication Date: August 29, 2019
Update Date: August 29, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips HDI 4000 Ultrasound system. This system was discontinued in 2006, and product support ceased in 2013.
Philips has become aware that if the Philips HDI 4000 Ultrasound system is running on outdated, unsupported operating systems, such as Windows 2000, an unauthorized user may be able to access ultrasound images or compromise image integrity.
Philips has not received any reports of exploitation of these vulnerabilities or of incidents from clinical use that we have been able to associate with this problem. This issue does not affect patient safety, system operations, or availability.
Philips recommends as mitigation that users implement controls to limit access to the network and consider replacing the system with a newer technology and supported operating system.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific Philips HDI 4000 Ultrasound system installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity