A radiation dose management tool sold by Philips is vulnerable to hacks, according to an announcement by the Dutch technology company and the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The advisory (ICSMA-17-229-01) says Philips has discovered two vulnerabilities in its DoseWise Portal (DWP) web application, which healthcare providers in the United States, Europe, Japan and Australia use to record, analyze and monitor imaging radiation doses for patients and clinicians.
Specifically, DWP versions 126.96.36.1993 and 188.8.131.5269 have hard-coded credentials and cleartext storage vulnerabilities which, if exploited, allow remote code to be executed by an attacker. If successful, an attack can give its author access to the DWP application database, which contains patient health information.
“Potential impact could therefore include compromise of patient confidentiality, system integrity, and/or system availability,” the advisory reads.
Both vulnerabilities can be exploited remotely, even by a low-skill attacker. Fortunately, there are no known public exploits that specifically target these vulnerabilities (yet).
OEM’s typically disclose such flaws in their products alongside an update that patches them. In this case, Philips offered two “interim mitigation” procedures until an update is developed and sent to DWP users. Philips tells customers to implement “network security best practices” and to “block Port 1433, except where a separate SQL server is used.”
ICS-CERT is a bit more thorough with its own recommendations:
- Minimize network exposure for all medical devices and/or systems, and ensure that they are not accessible from the Internet
- Locate all medical devices and remote devices behind firewalls, and isolate them from the business network
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices
Due to the complexity of the settings in which DWP applications are used, it’s important that healthcare providers perform proper impact analysis and risk assessment before taking any steps to deploy the above defensive measures.
Healthcare providers should expect a new product version and accompanying documentation later this month. No exact date has been set to release the DWP patch.
Even with a patch in the works, the news is not encouraging. A Deloitte survey of 370 professionals in the medical device/IoT ecosystem this year revealed that 35.6 percent of organizations suffered some form of cybersecurity incident in the past 12 months.
Only 18.6 percent of medical device vendors said they were prepared for a lawsuit if their products were subject to cyberattacks.