Search terms

speed masthead

Committed to proactively addressing the security concerns of our customers

Contact us

To guide our efforts, we have created a global policy to address the evolving nature of security in medical technology, including product feature requirements, security threat assessment and tracking, and compliance with local government standards.

Security status

Philips Product Security Status documents have product-specific vulnerability updates and security-related information such as supported anti-virus software, OS security features, and remote service.

 

Each product has its own table and the products are separated by modality, i.e. Informatics, Ultrasound, Magnetic Resonance, etc. The Status Documents list known software vulnerabilities, the current status, and Recommended Customer Action.

 

Revised tables are posted regularly with the latest available information.

Manufacturer Disclosure Statement for Medical Device Security

 

As part of our commitment to product security and customer service, Philips Healthcare supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHI.

 

Specifically, Philips Healthcare is using the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about its products.

 

The MDS² contains product specific security information such as:

 

  • Maintaining, storing, and transmitting ePHI
  • Data back-up and removable media capabilities
  • Installing security patches and anti-virus software
  • Remote service access
  • Audit logs of ePHI access including: Viewing; creating, modifying, and deleting records; importing/exporting

 

The MDS², a universal reporting form which allows Philips Healthcare to supply its customers with model-specific information, is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA), and the Healthcare Information and Management Systems Society (HIMSS).

 

The form also contains security practice recommendations and explanatory notes from the manufacturer as well as detailed.

Form

Customers must register for access.    

 

To register, send an e-mail to Incenter@philips.com providing the following information:

 

  • Customer name/facilityname
  • Contact name and email
    address
  • Phone number and address

 

Once your request is processed, you will receive an email from GCS Helpdesk with login and passcode information.

 

Already registered?

Access documents here

Security Advisory Archives (2016 and prior)

Philips Xper-IM Vulnerabilities (21 Feb 2013)

Philips Healthcare is aware that researchers at a recent cyber-security conference in Florida presented on a security vulnerability in a system component of the Philips Xper Information Management System. This has been investigated by the responsible Philips engineering and product security experts and we expect to provide a software update within a short period of time once the software validation has been completed. Affected customers will be notified directly once this software update is available.

A related concern regarding the disclosure during the conference of service passwords used on Xper IM systems is already being addressed by a Philips Field Change Order (FCO 83000171) which is currently being distributed to all affected customers. The information provided by this FCO also contains instructions to mitigate the above network-based heap overflow vulnerability in the interim.

Philips Healthcare and Windows XP End of Support

As part of our continued attention to your security needs, Philips Healthcare wishes to bring to your attention that Microsoft has discontinued support for the Microsoft Windows XP Operating System, following
April 8, 2014.

 

Where feasible, Philips Healthcare has been developing solutions for products running Windows XP to address continuity of protection against known and emerging security threats and vulnerabilities.

 

To this end, Philips Healthcare will provide product-specific Statements to assist customers. Where applicable, these Product Statements may provide upgrade or field change order information.

Heartbleed Vulnerability

Philips Healthcare is aware of the OpenSSL ‘heartbleed’ security vulnerability. The vulnerability (assigned CVE-2014-0160) impacts OpenSSL versions 1.0.1 – 1.0.1f. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. Customers will be notified once a solution is available for any affected product(s).

 

For our Remote Service solution (PRS) we have reviewed all of our customer facing interfaces and VPN connections to our customer facilities, and can confirm that these are not affected by the Heartbleed issue.

SSLv3 POODLE Vulnerability

Philips Healthcare is aware of the SSLv3 POODLE security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).

 

Philips manufactures, and helps customers maintain, highly complex medical devices and systems. Per policy, only Philips-authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips’ explicit published direction.

Shellshock (Unix Bash shell) Vulnerability

Philips Healthcare is aware of the Unix “Shellshock” security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).

Philips Xper-IM vulnerability information (14 Jul 2016)

In the second quarter of 2016, Philips was contacted by security researchers regarding potential security vulnerabilities with the Philips Xper-IM Connect system. As part of our Responsible Disclosure policy and processes, Philips has been in collaboration with the security researchers investigating this issue to promptly and transparently address the identified vulnerabilities in the Xper-IM Connect system.

 

The joint analysis by Philips and the researchers determined that Xper-IM Connect systems running on unsupported Windows XP operating systems and outdated product software were vulnerable to a number of potential exploits, which if implemented, could result in a remote attacker gaining access to an affected system.

 

The Philips product security team was able to confirm that all of the reported vulnerabilities in the Xper-IM Connect system are remediated by upgrading to the minimum specification of Windows 2008 Server or the recommended specification of Windows 2008 Server R2 and then applying a new product software version (Xper-IM Connect Version 1.5 Service Pack 13). We are providing recommendations and contact information in order to help any affected customers using a potentially affected Xper-IM Connect System address the issue and correct any affected systems as rapidly as possible.

 

Both Philips and the security researchers contributed to a joint disclosure to the U.S. Department of Homeland Security’s NCCIC/ICS-CERT organization, and was the source for that body’s Medical Device Advisory concerning this issue.

 

Philips is committed to ensuring the security and integrity of our products. Philips takes this matter very seriously. While any potential or identified security vulnerabilities are a concern, at this time we are not aware of any customers or patients that have been directly affected by this issue.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Security Advisory Archive

Archive of security notices for customer reference

Product Security

Philips Product Security Statement

Resources 

Philips Monitoring Systems:

Our approach to protecting patients, medical devices and information (92.0KB)

By clicking on the link, you will be leaving the official Royal Philips ("Philips") website. Any links to third-party websites that may appear on this site are provided only for your convenience and in no way represent any affiliation or endorsement of the information provided on those linked websites. Philips makes no representations or warranties of any kind with regard to any third-party websites or the information contained therein.

I understand

You are about to visit a Philips global content page

Continue

By clicking on the link, you will be leaving the official Royal Philips ("Philips") website. Any links to third-party websites that may appear on this site are provided only for your convenience and in no way represent any affiliation or endorsement of the information provided on those linked websites. Philips makes no representations or warranties of any kind with regard to any third-party websites or the information contained therein.

I understand

You are about to visit a Philips global content page

Continue

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.