U.S. agency issues security warning for Philips PACS software

2019 03 26 18 32 2300 Computer Hacker Security 400

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and Philips Healthcare have issued security advisories for various versions of the vendor's Vue PACS software and related products.

Philips has identified 15 potential security vulnerabilities that could affect or potentially compromise patient confidentiality, system integrity, and/or system availability.

"Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system," wrote CISA in the security advisory from its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Philips informed CISA of the vulnerabilities, which have been found on the following Vue PACS products:

  • Vue PACS: versions 12.2.x.x and prior
  • Vue MyVue: versions 12.2.x.x and prior
  • Vue Speech: versions 12.2.x.x and prior
  • Vue Motion: versions 12.2.1.5 and prior

"Philips' analysis has shown that these issues require a range of low skill to high skill to exploit," the company wrote in its security advisory.

Some of these affected vulnerabilities could be attacked remotely, and exploits that could target these vulnerabilities are known to be publicly available, the company also noted. However, Philips said it hasn't received any reports of exploitation of these issues or of incidents from clinical use that it has been able to associate with this issue.

Philips is recommending that users upgrade to the latest Vue PACS software running on the 2019 Windows operating system and enable security patching procedures for timely security updates. Many of the vulnerabilities have been remediated via new software versions, and upcoming releases of version 15 for Vue PACS, Vue Speech, and Vue MyVue in the first quarter of 2022 will address the remaining issues, according to the Philips mitigation plan included in the CISA security advisory.

To minimize the risk of these vulnerabilities, CISA also recommends users take the following steps:

  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPNs are only as secure as the connected devices.
Page 1 of 775
Next Page