Publication Date: January 5, 2018
Update Date: February 28, 2018
Philips is currently monitoring and actively testing updates related to the recently discovered Meltdown and Spectre global security vulnerabilities. As part of the company’s product security policy and protocols, Philips’ global product security team is actively evaluating potential impacts on Philips solutions. At this time, Philips has not received reports of these vulnerabilities affecting clinical use of company products.
Meltdown and Spectre are two techniques researchers have discovered that circumvent protections exposing nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications. These security vulnerabilities have been globally reported as known issues with Intel, AMD and ARM chips and are not linked to specific individual products or implementations. These flaws are forcing a redesign of the kernel software present in Windows, Mac, and Linux operating systems present on machines running Intel, AMD and ARM chips.
Meltdown allows malicious programs to gain access to higher-privileged parts of a computer's memory, while Spectre steals data from the memory of other applications running on a machine. Currently researchers say that Meltdown is limited to Intel chips, and Spectre attacks Intel, AMD, and ARM processors. Threat actors need access to an enterprise network or a network connection to a specific device to exploit the vulnerability. There are no examples of either exploits in the wild or weaponization of an exploit at this time.
Microsoft has released updates to help mitigate these vulnerabilities. A Linux patch is also currently available. Testing and implementation of these patches by third parties including cloud service providers is reportedly currently underway. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips products and solutions for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating for further actions or updates to potentially affected Philips products.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips products (including operating system security updates and patches) are implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Customers entitled by service-contract to use Philips InCenter are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter. All customers with and without service contracts are encouraged to contact their local service support team or regional product service support as needed for current information specific to their products or Philips deployed installations as information becomes available.