US Homeland Security: Philips PACS software vulnerable to cyberattacks

Philips Healthcare and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICE-CERT) officially issued security advisories regarding vulnerabilities to Philip's medical imaging management software systems ISite and IntelliSpace PACS.  

According to a March 29 ICE-CERT advisory statement, Philips has confirmed that all versions of the technologies contain security vulnerabilities, predominately in third-party components. Philips estimates that iSite and IntelliSpace PACS are currently being used in 30 countries in North America, Asia, Europe and the Middle East. 

"If exploited, these vulnerabilities could impact or compromise patient confidentiality, system integrity, and/or system availability," according to the ICE-CERT advisory. "The vulnerabilities may allow attackers of low skill to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information or potentially cause a system crash." 

Although Philips has received no confirmed reports of patient harm of complaints involving clinical use, the U.S. National Cybersecurity and Communications Integration Center (NCCIC) advises organizations using these technologies to evaluate the impact of potential vulnerabilities based on the operation environment and specific clinical usage, according to the ICE-CERT statement.  

Philips is offering customers an automated antivirus application to continuously monitor and handle threats in all software systems responsible for management services, according to a March 28 Philips customer advisory statement. The company is also providing a monthly recurring IntelliSpace PACS patch program for customers to promptly receive Philips-approved operating system and application patches.   

"In addition, in 2016 Philips announced software updates and has controlling mitigations on the affected PACS systems to further limit the risk and exploitability of these vulnerabilities," Philips added. "The Philips iSite 3.6 platform is currently at its end of life (EoL) and end of service (EoS)."  

Additionally, Phillips is offering customers the following options to correct these vulnerabilities, which are provided free of charge by Philips for full-service delivery model contracts:  

  • The simplest option is to enroll in Philips recurring patching program, which will remediate 86 percent of all known vulnerabilities. 
  • A more robust option is to enroll in Philips recurring patching program and updating system firmware. This option will remediate 87 percent of all known vulnerabilities including all known critical vulnerabilities. 
  • The most robust option by Philips is to enroll in the recurring patching program and update system firmware and upgrade to IntelliSpace PACS 4.4.55x with Windows operating system 2012, which addresses product hardening; this option remediates 99.9 percent of all the known vulnerabilities including all critical vulnerabilities. 

View the entire Philips security advisory here and the ICS-CERT security advisory here.