Philips and the U.S. Cybersecurity Infrastructure and Security Agency (CISA) have issued security advisories for potential vulnerabilities related to legacy versions of the vendor's Vue PACS software.
Security vulnerabilities have been identified for Vue PACS versions prior to 12.2.8.410, the company said in its advisory.
"Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity to negatively impact system confidentiality, integrity, or availability," the CISA wrote in its cybersecurity advisory.
To date, Philips has not received any reports of patient harm, exploitation of these issues, or incidents from clinical use associated with the issues.
Most of the vulnerabilities are resolved with version 12.2.8.400, which was released in August 2023. Another update, version 12.2.8.410, also addresses another specific vulnerability that could affect system availability. The company offered mitigation strategies for users who have not completed these software upgrades:
- Philips recommends configuring the Vue PACS environment per 8G7607 – Vue PACS User Guide Rev G available on InCenter
- Philips recommends configuring the Vue PACS environment per D000763414 –Vue_PACS_12_Ports_Protocols_Services_Guide available on InCenter
