Publication Date: January 24, 2018
Update Date: January 24, 2018
Philips has confirmed the findings of a customer submitted complaint of a vulnerability affecting versions 2.3.0 and earlier of the Philips IntelliSpace Cardiovascular (ISCV) cardiac image and information management system. If the IntelliSpace Cardiovascular system is used with an Electronic Medical Record (EMR) in Kiosk mode configured with Windows authentication, there is a possibility that the user may not be properly logged out if the browser is not closed at the end of software use. As a result, a subsequent user of the EMR system, who launches ISCV, will be logged in with the credentials of the previous user. This reported vulnerability may allow an attacker to gain unauthorized access to sensitive information stored on the system and modify this information.
Philips advises users to close the browser at the end of each session, rather than only logging out, to mitigate this potential issue, or to change the authentication configuration to use encrypted logon from the EMR. In this configuration, Windows authentication is not used therefore the vulnerability is not applicable.
At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that have been able to associate with this problem. The 3.1.0 version of the software will remediate the issue.
Customers with questions regarding their specific ISCV or Xcelera installation should contact their local Philips service support team or their regional service support. In alignment with Philips’ Responsible Disclosure Policy and U.S. FDA Post-Market requirements, Philips worked with the customer who submitted the vulnerability observation and appropriate government agencies to draft and distribute a public security advisory concerning this vulnerability.