Publication Date: November 14, 2019
Update Date: December 12, 2019
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge EC40 and EC80 Hub.
Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data. No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.
Philips plans a new release to remediate this issue by the end of Q3 2020. Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.
Users with questions regarding their specific Philips IntelliBridge EC40/EC80 Hub installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-19-318-01