Amsterdam-based Philips’ Patient Information Center iX, PerformanceBridge Focal Point, IntelliVue Patient Monitors MX100, MX400-MX850 and MP2-MP90 and IntelliVue X2 and X3 were all listed among the affected equipment in a DHS release.
Potential vulnerabilities within those devices include improper neutralization of formula elements in a CSV file, cross-site scripting, improper authentication, improper check for certificate revocation, improper handling of length parameter inconsistency, improper validation of syntactic correctness of input, improper input validation and exposure of resource to wrong sphere.
According to DHS, these vulnerabilities can be exploited by those with low skill levels and, if done successfully, it could lead to unauthorized access, interrupted monitoring and collection of access information and/or patient data. In order to successfully exploit the vulnerabilities, an attacker would need physical access to surveillance stations and patient monitors or access to the medical device network.
Philips plans a new release to alleviate concerns over all reported vulnerabilities and recommends that anyone potentially impacted by them should use a firewall or routers that can implement access control lists restricting access for the monitoring network for only necessary ports and IP addresses, along with other additional security measures.
The company has created a publicly-accessible, voluntary Coordinated Vulnerability Disclosure (CVD) program, to collaborate with customers, security researchers, regulators and other agencies to help identify, address and disclose potential vulnerabilities in a safe and effective manner.
As of now, Philips said there are no known public exploits available for the issues listed by DHS and it has not received any reports of exploitation of the issues or incidents from clinical use that would be associated with the issue.
This article was updated with clarifications from Philips.