Cybersecurity Vulnerabilities in Philips IntelliSpace System Exposes Sensitive Cardiac Patient Information

The Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) and Philips Healthcare issued a warning after discovering cybersecurity vulnerabilities in the Philips’ IntelliSpace Cardiovascular (ISCV) and Xcelera cardiology image and information management software.

According to the ICS-CERT, “Successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the ISCV/Xcelera server and execute arbitrary code.”

The ICS-CERT found two different vulnerabilities in the Philips IntelliSpace System that are identified as Improper Privilege Management (CVE-2018-14787) and Unquoted Search Path or Element (CVE-2018-14789). Luckily, both the vulnerabilities are not critical, but it could allow hackers to execute arbitrary code, and gain access to the patient details.

The vulnerabilities affect Version 3.1  or earlier of IntelliSpace Cardiovascular, and the version 4.1 or earlier versions of Xcelera. However, it seems that both the flaws have not been exploited yet.

“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities,”  said security advisory of Philips.
The company has reported the matter to the National Cybersecurity and Communications Integration Center (NCCIC).

Philips will release patches for the vulnerabilities in their next version  ISCV 3.2, which is scheduled for release in October 2018.

Meanwhile, the company has advised the users to limit the network access, review and restrict files permissions, and use secure VPNs for remote access.

Leave a Reply