Publication Date: August 17, 2017
Update Date: August 17, 2017
Philips has confirmed the findings of a customer submitted complaint and vulnerability report that the Philips DoseWise Portal (DWP) application (version 220.127.116.113 and 18.104.22.16869) contains security vulnerabilities of hard-coded database credentials stored in clear text (unencrypted) within backend system files behind current production security defenses.
Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.
For an attacker to use or exploit these vulnerabilities to access the underlying DWP database, elevated privileges are first required in order for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI). Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability.
The Philips DoseWise Portal (DWP) is a radiation dose management solution which simplifies the collection, analysis and interpretation of patient radiation dose metrics and acquisition parameters across x-ray medical imaging devices. DoseWise Portal captures, tracks, alerts and reports on patient radiation dose to support users to perform statistical analysis of imaging equipment radiation output. This to provide quantitative trends and statistics that users may use as input in planning and tracking dose management improvement activities. DWP is a standalone Class A software in accordance with IEC 62304, classified as a low-safety-risk medical device.
Philips is scheduled to release a new product version and supporting product documentation in August 2017.
- For all customers of DWP version 22.214.171.12469, Philips will update the DWP installation to version 126.96.36.19918. This update will replace the authentication method and eliminate the hard-code password vulnerabilities from the DWP system.
- For all customers of DWP version 188.8.131.523, Philips will reconfigure the DWP installation to change and fully encrypt all stored passwords.
- As an interim mitigation, until the update can be applied, Philips recommends that customers:
- Ensure network security best practices are implemented and
- Block Port 1433, except where a separate SQL server is used.
Philips has notified all customers of the identified vulnerabilities and will coordinate with customers to schedule updates. Philips encourages users to only use Philips-validated and authorized changes for the DoseWise Portal system supported by Philips’ authorized personnel or under Philips’ explicit published directions for product patches, updates, or releases.
Customers with questions regarding their specific DoseWise Portal installations should contact their local Philips service support team or their regional service support.