Customer Support

speed masthead

Committed to proactively addressing the security concerns of our customers

To guide our efforts, we have created a global policy to address the evolving nature of security in medical technology, including product feature requirements, security threat assessment and tracking, and compliance with local government standards.

Security Advisory Archives (2019)

Philips IntelliBridge EC40/80 (14 November 2019)

Publication Date:  November 14, 2019

Update Date: December 12, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge EC40 and EC80 Hub.

 

Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data. No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network.

 

Philips plans a new release to remediate this issue by the end of Q3 2020. Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips IntelliBridge EC40/EC80 Hub installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-19-318-01

Philips IntelliSpace Perinatal (24 October 2019)

Publication Date:  October 24, 2019

Update Date: October 24, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliSpace Perinatal obstetrics information system.

 

Philips has become aware that for Versions K and prior of the Philips IntelliSpace Perinatal system, a potential vulnerability may allow an unauthorized user access to system resources. This could impact confidentiality and integrity of the system and application. To exploit this issue, an attacker would require physical access to a locked application screen, or a remote desktop session host application.

 

Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue. Philips is providing customers with a detailed update to Philips IntelliSpace Perinatal documentation to provide clear guidance on recommended mitigations for this issue. This documentation is available to customers on Philips InCenter. Philips will be further assessing potential mitigations in the next minor product update, which is planned for the end of 2020.

 

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips IntelliSpace Perinatal installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Philips IntelliVue Wireless Local Area Network (WLAN) module (12 Sept 2019)

Publication Date:  September 12, 2019

Update Date: September 12, 2019

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding Versions A and B of the Philips IntelliVue Wireless Local Area Network (WLAN) module available in specific Philips IntelliVue Patient Monitors.

 

Philips has become aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device’s local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear.

 

At this time, Philips has received no reports of patient harm. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem, or evidence of patient identifiers compromised.

 

To address this issue, Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. Regarding other versions, WLAN Version A will be addressed via software patch from Philips estimated to be available in Incenter by the end of 2019. The Philips WLAN Version B is obsolete. Wireless network access should be controlled by authentication and authorization (e.g. WPA2), which are supported by Philips. Additional mitigations include implementing a firewall rule on the customer wireless network, and further controls on physical access to the system.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their Philips IntelliVue WLAN Module software are advised by Philips to contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Philips Ultrasound HDI 4000 (29 August 2019)

Publication Date:  August 29, 2019

Update Date: August 29, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips HDI 4000 Ultrasound system. This system was discontinued in 2006, and product support ceased in 2013.

 

Philips has become aware that if the Philips HDI 4000 Ultrasound system is running on outdated, unsupported operating systems, such as Windows 2000, an unauthorized user may be able to access ultrasound images or compromise image integrity.

Philips has not received any reports of exploitation of these vulnerabilities or of incidents from clinical use that we have been able to associate with this problem. This issue does not affect patient safety, system operations, or availability.

 

Philips recommends as mitigation that users implement controls to limit access to the network and consider replacing the system with a newer technology and supported operating system.

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific Philips HDI 4000 Ultrasound system installation should contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Microsoft Remote Desktop Services Remote Execution Vulnerability –DejaBlue (15 August 2019)

Publication Date: August 15, 2019 

Update Date: April 20, 2019

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability named DejaBlue (CVE-2019-1181 and CVE-2019-1182).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update C: April 20, 2020

Affiniti (30,50,70)
IE33
Juno DRF(5.7)
Analytics 1.1
IEM v11.01-v11.04**
MicroDose SI (L50) (9.0 P1,P2,P3)
ClearVue
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U (L50 U)(9.0 P1,P2,P3)
CX50/30
IntelliSpace Cardiovascular (ISCV 1.x - 3.x))*
Sparq
Diagnostic Site Server (DSS)
IntelliSpace PACS 4.4
SPhAERA`(3.6 & up)
Efficia Central - SureSigns Monitor / CMS200(C.01)**
IntelliSpace PACS 4.4.55x
UDM(1.1, 2.1)
Envisor
IntelliSpace Portal Server(7,8,9)**
VISIQ
Epiq (5/7)
IntelliSpace Portal Workstation(7,8,9,10)**
Xcelera 4.1
FocalPoint (A.0/A.01)**
ISP Anywhere(1.3)
XIRIS (8.1, 8.3)
IBE (B.02 - B.09)*,**
ISP VL Caputre 1.1 Visible Light
Xper IM(1.5, 2.x)
IU22

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter
 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
 

End Update C

 

Begin Update B: December 13, 2019

Affiniti (30,50,70)
IE33
Juno DRF(5.7)
Analytics 1.1
IEM v11.01-v11.04**
MicroDose SI (L50) (9.0 P1,P2,P3)
ClearVue
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U (L50 U)(9.0 P1,P2,P3)
CX50/30
IntelliSpace Cardiovascular (ISCV 1.x - 3.x))*
Sparq
DSS
IntelliSpace PACS 4.4
SPhAERA`(3.6 & up)
Efficia Central - SureSigns Monitor / CMS200(C.01)**
IntelliSpace PACS 4.4.55x
UDM(1.1, 2.1)
Envisor
IntelliSpace Portal Server(7,8,9)**
VISIQ
Epiq (5/7)
IntelliSpace Portal Workstation(7,8,9,10)**
Xcelera 4.1
FocalPoint (A.0/A.01)**
ISP Anywhere(1.3)
XIRIS (8.1, 8.3)
IBE (B.02 - B.09)*,**
ISP VL Caputre 1.1 Visible Light
Xper IM(1.5, 2.x)
IDM
IU22

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note: For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update B

Urgent/11 VxWorks and TCP/IP IPnet Advisory (1 August 2019)

   

Publication Date: August 1, 2019
Update Date: December 11, 2019

 

Security researchers at Armis have disclosed 11 different zero-day vulnerabilities within Wind River’s VxWorks, a real-time operating system used in over 2 billion embedded systems that include medical devices, routers, VOIP phones and mission-critical infrastructure equipment.  The collection of vulnerabilities, which Armis refers to as "Urgent/11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, six are deemed critical. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is currently monitoring developments and updates related to the recent published advisory (ICSA-19-211-01) concerning the reported 11 CVEs as referred to as Urgent/11. In the advisory, there are several versions of VxWorks listed as not vulnerable, which Philips has taken into consideration for product evaluation and analysis.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing VxWorks for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. VxWorks has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update E: December 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
HDI 3500 ****
Multiva/Prodiva (R5.4)***
BrightView SPECT(1.x)***
HDI 3000 ****
Smart-hopping Access Point Controller (for MX40 and Telemetry products)**
BrightView X(2.x)***
Ingenia (R4, R5.3, R5.4 and higher)***
Zenition**
BrightView XCT(2.x)***
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
GEOPC (Component of Allura & Azurion) ***
Multiva (R5.3, R5.4)***

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update E

 

Begin Update D: September 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Ingenia (R4, R5.3, R5.4 and higher)***
Multiva (R5.3, R5.4)***
Smart-hopping Access Point Controller (for MX40 and Telemetry products)**
Multiva/Prodiva (R5.4)***
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update D

 

Begin Update C: August 15, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Ingenia (R4, R5.3, R5.4 and higher)***
Multiva (R5.3, R5.4)***
Smart-hopping Access Point Controller (for MX40 and Telemetry products)
Multiva/Prodiva (R5.4)***
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update C

 

Begin Update B: August 8, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

 

Update B supersedes products listed in Update A as they were determined to be running non-vulnerable versions of VxWorks.

GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Smart-hopping Access Point Controller (for MX40 and Telemetry products)
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update B

Begin Update A: August 2, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

<Reference table in Update B>

 

**Information or patch available in Incenter

End Update A

Philips Holter 2010 Plus (11 July 2019)

Publication Date:  July 11, 2019

Update Date:  July 11, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Holter 2010 Plus electrocardiogram (EKG) software.

 

Philips has become aware that under certain specific conditions, an unauthorized user with high skill level may potentially be able to access software options not purchased by the customer. The threat if exploited could lead to the enablement of system options not purchased.  It does not impact patient safety, patient data integrity or confidentiality or system operations.

 

Philips recommends users implement role-based access controls to control physical access to the system. Further controls are provided by the multiple components required to exploit the vulnerability.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific Philips Holter 2010 Plus software installation are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support.   Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions.

Microsoft Remote Desktop Services Remote Execution Vulnerability – BlueKeep (15 May 2019)

Publication Date: May 15, 2019

Update Date: April 20, 2019
 

Begin Update G: April 20, 2020


Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1
IntelliSpace ECG Management System B.00 (IECG)*, **
Oncad
CompuRecord (F.02, G.00, and G.01)*
IntelliSpace PACS (4.4, 4.4.551, 4.4.553)***
PIIC Classic (L, M, N, N.01)**
Diagnostics Site Server (DSS)
IntelliSpace Perinatal Revision (H, J, K)*,**
PIIC iX (A.0, B.0, B.02)**
DynaCAD Breast and Prostate*
IntelliSpace Portal (ISP) Server& Workstation**
SensaVue HD & FMRI
DynaSuite Neuro 3*
IntelliVue Guardian Software*,**
ST80i A.02*,**
Efficia Central - SureSigns Monitor / CMS200
Invivo Esys
UDM (v1.1, 2.1)***
eICU*,**
ISEE**
UroNav (1.x/2.x)
Extended Brilliance Workspace (EBW)**
ISP Anywhere (v1.3)
Xcelera 4.1*
Forcare suite*
ISP VL Caputre 1.1 Visible Light (v1.1)
XIRIS (8.2, 8.3)
Holter Recorder DigiTrak XT (DTXT) *
Juno DRF (5.0-.6, 5.7)**
Xper IM*,**
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
Lung Cancer Screening Solution*
XIRIS (8.2, 8.3)
ICCA (F, G)*,**
MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)**
Xper IM*,**
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)**
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)**
Intellispace Cardiovascular (ISCV)*,****
MR** Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business validated and deployed the patch to the managed infrastructure

****Patch is tested and can be installed via the windows update mechanism
 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.
 

End Update G
 

Begin Update F: December 10, 2019
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)**
CompuRecord (F.02, G.00, and G.01)*
Intellispace Cardiovascular (ISCV)*,****
MR**
Intera/Achieva/Ingenia/Multiva/Panorama 1.0T/Prodiva R5.3
Diagnostics Authoring Workspot (DAW)**
IntelliSpace ECG Management System B.00 (IECG)*, **
Oncad
Diagnostics Site Server (DSS)
IntelliSpace PACS (4.4, 4.4.551, 4.4.553)***
PIIC Classic (L, M, N, N.01)**
DynaCAD Breast and Prostate*
IntelliSpace Perinatal Revision (H, J, K)*,**
PIIC iX (A.0, B.0, B.02)**
DynaSuite Neuro 3*
IntelliSpace Portal (ISP) Server& Workstation**
SensaVue HD & FMRI
Efficia Central - SureSigns Monitor / CMS200
IntelliVue Guardian Software*,**
ST80i A.02*,**
eICU*,**
Invivo Esys
UDM (v1.1, 2.1)***
Extended Brilliance Workspace (EBW)**
ISEE**
UroNav (1.x/2.x)
Forcare suite*
ISP Anywhere (v1.3)
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
ISP VL Caputre 1.1 Visible Light (v1.1)
XIRIS (8.2, 8.3)
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
Juno DRF (5.0-.6, 5.7)**
Xper IM*,**
ICCA (F, G)*,**
Lung Cancer Screening Solution*
IDM
MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)**
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)**

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business validated and deployed the patch to the managed infrastructure

****Patch is tested and can be installed via the windows update mechanism

 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update F

 

Begin Update E: September 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1
IntelliSpace Breast (v2.1, 2.2, 3.1, 3.2)
MicroDose SI L50 (9.0 P1, P2, P3, P4, P5)
CompuRecord (F.02, G.00, and G.01)*
Intellispace Cardiovascular (ISCV)*
MicroDose SI U L50 U (9.0 P1, P2, P3, P4, P5)
Diagnostics Authoring Workspot (DAW)**
IntelliSpace ECG Management System B.00 (IECG)*, **
MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3
Diagnostics Site Server (DSS)
IntelliSpace PACS (4.4, 4.4.551, 4.4.553)
PIIC Classic (L, M, N, N.01)**
Efficia Central - SureSigns Monitor / CMS200
IntelliSpace Perinatal Revision (H, J, K)*,**
PIIC iX (A.0, B.0, B.02)**
eICU*,**
IntelliSpace Portal (ISP) Server& Workstation**
ST80i A.02*,**
Extended Brilliance Workspace (EBW)**
IntelliVue Guardian Software*
UDM (v1.1, 2.1)
Forcare suite*
ISEE
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
ISP Anywhere (v1.3)
XIRIS (8.2, 8.3)
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
ISP VL Caputre 1.1 Visible Light (v1.1)
Xper IM*
ICCA (F, G)**
Juno DRF (5.0-.6, 5.7)
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MicroDose L30 (8.0, 8.1, 8.2 P1, 8.3 P1, 8.4 P1 P2 P3)

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

 

Note:
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update E

 

Begin Update D: August 15, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)*
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
IntelliSpace Portal (ISP) Server& Workstation**
Diagnostics Authoring Workspot (DAW)**
ICCA (F, G)**
IntelliVue Guardian Software*
Efficia Central - SureSigns Monitor / CMS200
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3
eICU*,**
IntelliSpace Breast

PIIC Classic (L, M, N, N.01)**

PIIC iX (A.0, B.0, B.02)**

Extended Brilliance Workspace (EBW)**
Intellispace Cardiovascular (ISCV)*
ST80i A.02*,**
Forcare suite*
IntelliSpace ECG Management System B.00 (IECG)*, **
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
IntelliSpace Perinatal Revision (H, J, K)*,**
Xper IM*

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update D

 

Begin Update C: June 30, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)*
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
IntelliSpace Portal (ISP) Server& Workstation**
DAW**
ICCA (F, G)**
IntelliVue Guardian Software*
Efficia Central - SureSigns Monitor / CMS200
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
MR Intera/Achieva/Ingenia/Multiva/Prodiva R5.3
eICU*
IntelliSpace Breast
PIIC Classic (L, M, N, N.01)
Extended Brilliance Workspace (EBW)**
Intellispace Cardiovascular (ISCV)*
ST80i A.02
Forcare suite*
IntelliSpace ECG Management System B.00 (IECG)*
Xcelera 4.1*
Holter Recorder DigiTrak XT (DTXT) *
IntelliSpace Perinatal Revision (F, J.x)*
Xper IM*

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update C

 

Begin Update B: June 7, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2019-0708. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)*
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)**
IntelliSpace Portal (ISP) Server& Workstation**
DAW**
ICCA (F, G)**
IntelliVue Guardian Software*
Efficia Central - SureSigns Monitor / CMS200
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)**
PIIC Classic (L, M, N, N.01)
eICU*
IntelliSpace Breast
ST80i A.02
Extended Brilliance Workspace (EBW)**
Intellispace Cardiovascular (ISCV)*
Xcelera 4.1*
Forcare suite*
IntelliSpace ECG Management System B.00 (IECG)*
Xper IM*
Holter Recorder DigiTrak XT (DTXT) *
IntelliSpace Perinatal Revision (F, J.x)*

*Software only products with customer owned Operating Systems

 

**Information or patch available in Incenter

 

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update B

 

Begin Update A: May 22, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running Windows XP, Windows 7, Windows 2003 and Windows 2008. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CompuRecord (F.02, G.00, and G.01)
Efficia Central - SureSigns Monitor / CMS200
eICU
Holter Recorder DigiTrak XT (DTXT) 
IBE (B.02, B.03, B.04, B.05, B.06, B.07, B.08, B.09,  B.10)
ICCA (F, G)
IEM (v11.00, v11.01, v11.02, v11.03, v11.04)
IntelliSpace ECG Management System B.00 (IECG)
IntelliSpace Perinatal Revision (F, J.x)
IntelliVue Guardian Software
ST80i A.02

Note:


For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update A

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.

Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

DICOM Standard Cybersecurity Vulnerability Research (2 May 2019)

Publication Date: May 2, 2019

Update Date: June 6, 2019

 

Philips is aware of recently published findings by security researchers regarding the potential for cybersecurity vulnerabilities in medical imaging equipment and networks related to the Digital Imaging and Communications in Medicine (DICOM) standard, which is used for the exchange of medical images. The Philips global Product Security team is reviewing the published research for further analysis.

 

A number of the research study’s proposed defenses for the type of cyber-attack have long been advocated and implemented by Philips across our systems and products, including network and device environment hardening, as well as data encryption, limiting device Internet exposure and identity/password protection. Philips continues to be a strong proponent of device encryption and end-to-end encryption strategies are part of Philips’ design-for-security development and deployment of our products and systems.

 

At this time, a Philips product security analysis of imaging systems indicates limited exposure to this potential vulnerability, whether via network-based use or physical media. Philips imaging systems typically do not interpret or otherwise interact with the indicated DICOM “preamble” content, which has been identified as a possible vector for malicious code.

 

To date, the company has not received any reports of exploitation of these vulnerabilities or incidents from clinical use of Philips products that are associated with the type of attack demonstrated in published research. Additionally, Philips is not aware that the company’s devices were part of the research.

 

Philips welcomes collaboration with the security research community with regard to exploring strategies and methods to identify, address, and disclose known or potential cybersecurity threats to medical devices. Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. We are dedicated to helping our customers maintain the confidentiality, integrity, and availability of personal data, business data and the Philips hardware and software products that create and manage this data.

 

Philips operates under a global Product Security policy governing design-for-security in product and services creation, as well as risk assessment and incident response activities for vulnerabilities identified in existing products.

 

In a medical devices industry “first”, Philips has established a Security Center of Excellence (SCoE) to develop products, which are “cyber-resilient”.

 

We have also taken the lead in creating a Coordinated Vulnerability Disclosure (CVD) Policy, to collaborate with customers, security researchers, regulators and other agencies to help identify, address and disclose potential vulnerabilities in a safe and effective manner.

 

To fulfill our commitment to security, Philips maintains a global program to:

 

  • Develop, deploy, and support advanced security features for our products and services
  • Manage security events in the field. Philips participates in industry and government collaborations to help ensure product innovations and clinical information is produced and available at the highest level of quality, availability, and confidentiality. 
Philips Tasy EMR (30-April-2019)

Publication Date:  April 30, 2019

Update Date:  November 7, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips TASY EMR system Version 3.02.1744 and earlier (possible cross-scripting issue) and the Philips TASY Web Portal Version 3.02 1757 and earlier (possible information exposure issue).

This is an update to the April 2019 Coordinated Vulnerability Disclosure by Philips regarding this software, to add the TASY Web Portal issue.

 

Philips has become aware that these potential issues may allow an attacker with low skill to compromise patient confidentiality, system integrity, and/or system availability. Some of the affected vulnerabilities could be attacked remotely.

 

At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips analysis has shown that it is unlikely that this vulnerability would impact clinical use, due to mitigating controls currently in place. Philips analysis indicates that there is no expectation of patient hazard due to this issue. To date, Philips has received no complaints involving clinical use that we have been able to associate with this problem.

 

Philips advises customers to follow manufacturer instructions in the system configuration manual and not provide Internet access to the system without a Virtual Private Network (VPN). Customers are also advised to be on the last three (3) released versions, following the system software release schedule, and also upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Customers running the application on premise are alerted via release notes on changes to the system.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.

 

Users with questions regarding their specific Philips TASY EMR system are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Doomsday Docker (14-February-2019)

Publication Date:  February 14, 2019

Update Date: February 14, 2019

 

Philips is currently monitoring updates related to the recent advisory by National Institute of Standards and Technology (NIST) regarding a flaw in runc, Docker and Kubernetes’ container runtime. (See Advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-5736.) RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It is an open-source command-line tool for spawning and running containers.

 

As part of Philips’ product security policy and protocols, Health Suite Digital Platform (HSDP) is aware of the recently disclosed security issue that affects several open-source container management systems (CVE-2019-5736).  HSDP Operations reviewed the security bulletin and determined that the Cloud Foundry and container-host service environments are not vulnerable due to user namespaces being strictly enforced.  No action is required by clients to address this security issue. At this time, Philips has not received reports of these vulnerabilities affecting clinical use of company products.

 

Philips advises customers with product concerns relating to these vulnerabilities should send an email to productsecurity@philips.com. Further information regarding Philips’ recommendations regarding this event may be found at the Philips product security web site: https://www.philips.com/productsecurity

 

Customers with questions regarding their specific products are advised to contact their local Philips service support team or their regional service support. Philips contact information is available at the following web page: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Philips Veradius Unity, Pulsera, and Endura Dual WAN Router (19 December 2019)

Publication Date: December 19, 2019

Update Date: December 19, 2019

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

  

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding specific Philips Veradius Unity (718132) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 2016 and August 2018. In addition, Pulsera (718095), and Endura (718075) Medical Devices with a Dual WAN Router (with wireless or ViewForum options) shipped between 26 June 2017 and 07 August 2018.

 

Philips has become aware that affected routers may have inadequate encryption strength, which may allow an unauthorized user to compromise the router management interface. 

 

Data confidentiality is protected by internal system design preventing exploitation of the Dual WAN router vulnerability. Even if the Dual Wan Router vulnerability is exploited there is no possible access to patient data or interference with usage of the system. Thus, the medical device is safe to use and has no security risk. 

 

Philips has a solution available for customers who have the wireless or ViewForum option in their product to update the configuration of the Dual WAN router. 

 

To contact their local Philips service support team, or regional service support, Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity 

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including US DHS CISA, which is issuing an advisory.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.