Philips Healthcare said it's working to address a security vulnerability found on two versions of its DoseWise Portal (DWP) radiation dose management software application.
In an August 17 security disclosure, Philips reported that versions 1.1.7.333 and 2.1.1.3069 of DoseWise Portal contain security vulnerabilities due to hard-coded database credentials that are stored unencrypted in clear text within back-end system files behind current production security defenses. The company confirmed the findings of a report that had been submitted by a customer.
Philips said, however, that it has received no reports to date regarding exploitations of these vulnerabilities or incidents from clinical use that have been associated with this problem.
To exploit these vulnerabilities to access the underlying DoseWise Portal database, an attacker would first need to have elevated privileges to access the web application back-end system files that contain the hard-coded credentials, Philips said. Successful exploitation, though, may allow a remote attacker to gain access to the DWP application database that contains patient health information. The effects of such access could include compromised patient confidentiality, system integrity, and/or system availability, according to the vendor.
Philips plans to release software and documentation updates this week to address the issue, a Philips spokesperson told AuntMinnie.com. Customers with version 2.1.1.3069 will be upgraded to version 2.1.2.3118, which will replace the authentication method and eliminate the hard-coded password vulnerabilities. Philips said it will reconfigure the DWP installation for customers with version 1.1.7.333 to change and fully encrypt all stored passwords.
Until the update can be applied, Philips is recommending that customers ensure network security best practices are implemented. In addition, they recommend that customers block Port 1433, except where a separate SQL server is used. The full security disclosure can be found here.