par John R. Fischer
, Senior Reporter | April 04, 2022
A potential vulnerability in Philips’ e-Alert MR monitoring system may allow unwanted access to outside parties who could remotely shut down the system if on a healthcare facility’s network.
The U.S. Cyber Security & Infrastructure Security Agency (CISA) issued a notice that says the software does not perform any authentication for critical system functionality.
Philips plans to release a new version of the system before July 2022 to remedy the vulnerability. “Regarding the e-Alert coordinated vulnerability disclosure, Philips proactively and voluntarily issued an advisory regarding a moderate-severity potential vulnerability (CVSS score 6.5 out of 10) for the Philips e-Alert hardware solution, versions 2.7 and prior. At this time, Philips has received no reports of exploitation of this vulnerability. Philips e-Alert hardware solution is not a medical device, therefore there is no risk to patient safety,” Mario Fante, senior press officer for Philips, told HCB News.
For those who need to move fast and expand clinical capabilities -- and would love new equipment -- the uCT 550 Advance offers a new fully configured 80-slice CT in up to 2 weeks with routine maintenance and parts and Software Upgrades for Life™ included.
Should an unauthorized user gain access and issue an unauthenticated remote shutdown command, this will cause the e-Alert hardware solution to stop functioning properly. Restoring it will require manually powering it off and then back on.
“The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code,” said CISA in its report on the security flaw.
Philips recommends that all users abide by its authorized specifications when using its products, including physical and logical controls. It also says that providers should take steps to ensure that only authorized personnel can access the network and devices connected to it.
The company has reported the vulnerability publicly and to appropriate government agencies, including CISA. Users with questions are advised to contact Philips’ Customer Success Manager, local Philips service support team or regional service support.
CISA recommends that providers minimize network exposure for all devices and systems connected to the product to make sure they cannot be accessed via the internet. It also says that users should set up firewalls to isolate control system networks and remote devices from the business network. Additionally, it recommends checking and updating virtual private networks to the most current version available. “VPN is only as secure as its connected devices,” it wrote.Back to HCB News