Philips Healthcare and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have issued security advisories regarding potential vulnerabilities in the vendor's iSite and IntelliSpace PACS software.
While it has not received any reports of patient harm or any complaints related to clinical use, Philips said it has confirmed that iSite and IntelliSpace PACS contain security vulnerabilities that could, under certain specific conditions, affect or potentially compromise patient confidentiality, system integrity, and/or system availability.
If fully exploited, these issues may allow attackers of low skill to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information, or potentially cause a system crash, according to the vendor. Some of these affected vulnerabilities could be attacked remotely, and exploits to target them are known to be publicly available.
It's unlikely that this vulnerability would affect clinical use, due to mitigating controls currently in place, the company said. IntelliSpace PACS runs in a managed service environment that adheres to ICS-CERT recommendations to minimize the risk of exploitation.
Furthermore, Philips offers an automated antivirus application that continuously monitors and remediates threats across all systems in the managed service environment, according to the firm. Philips also encourages all IntelliSpace PACS users to participate in its monthly recurring patch program to receive all approved operating system and application patches in a timely fashion.
Philips also noted that it provided software updates in 2016 and has controlling mitigations on the affected PACS software to further limit the risk and exploitability of these vulnerabilities. Version 3.6 of iSite PACS, however, is at its end of life and end of service, the company said.
Philips is offering customers a number of potential options to remediate the risk of these vulnerabilities:
- Enroll in Philips recurring patch program. This will remediate 86% of all known vulnerabilities, according to the firm.
- Enroll in Philips recurring patch program and update system firmware. This option will remediate 87% of all known vulnerabilities, including all known critical vulnerabilities, Philips said.
- Enroll in Philips recurring patch program, update system firmware, and upgrade to IntelliSpace PACS 4.4.55x with Windows operating system 2012. This is the most robust option, which addresses product hardening and remediates 99.9% of all known vulnerabilities, including all critical vulnerabilities, Philips said.
All three options are provided at no charge by Philips for full-service delivery model contracts, the company said.
The full Philips security advisory can be found here, and the ICS-CERT security advisory is available here.