CISA warns of computer flaw in Philips MRI monitoring software

Diving brief:

  • Philips Healthcare’s e-Alert magnetic resonance imaging monitoring software has a security vulnerability that could potentially allow an unauthorized user to shut down the system remotely, according to a medical opinion released Tuesday by the US Cybersecurity and Infrastructure Security Agency.
  • CISA warned that software versions 2.7 and earlier of Philips e-Alert do not perform any authentication for critical system functionality in the event the vulnerability is successfully exploited by a malicious actor with network access. of a health facility. Philips plans a new release to fix the vulnerability before July 2022, CISA said. In the meantime, the cyber agency noted that the company recommends “only authorized personnel should be allowed access to the network and devices connected to it,” among other actions.
  • The vulnerability, discovered by a senior cybersecurity analyst at St. Jude Children’s Research Hospital and reported to Philips, has a Common Vulnerability Scoring System score of 6.5 out of 10 (medium severity). “If exploited, unauthorized users may issue an unauthenticated remote shutdown command, resulting in a denial of service of the e-Alert hardware solution,” Philips said in a statement sent by e- mail. However, at this time, the company “has not received any reports of exploitation of this vulnerability”.

Overview of the dive:

Philips e-Alert uses sensors to monitor and quickly respond to potential MRI machine issues, including chilled water supply, helium level and humidity, which are critical to proper system operation medical imaging. However, if the vulnerability is successfully exploited, the software does not perform any authentication for critical system functionality.

Philips released its own on Tuesday security consultingstating that the company “has identified a potential vulnerability that may allow an attacker within the same subnet to impact system availability” and that the vulnerability “may allow low-skilled attackers to issue a unauthenticated remote shutdown command, leading to a denial of service of the e-Alert hardware solution.”

Since the e-Alert hardware solution is not a medical device, Philips claims there is no risk to patient safety. However, unauthorized users could issue a remote shutdown command, causing a denial of service for the e-Alert system and potentially downtime for an MRI machine.

To restore e-Alert functionality in the event of an unauthorized shutdown of the vulnerability, Philips said “the hardware system must be manually reactivated,” according to the Philips security advisory.

Earlier this month, Philips announcement it expanded its medical device cybersecurity services to “provide benefits to healthcare providers, including increased availability, clinical performance, and advanced security to help protect access to their clinical solutions and medical devices.”

However, this is not the first time that CISA published an advisory regarding serious cybersecurity vulnerabilities discovered in Philips e-Alert.

CISA in 2018 released a advisory detailing nine cyber vulnerabilities that “may allow attackers to provide unexpected application input, execute arbitrary code, display unit information, or potentially cause e-Alert to crash.”

At the time, Philips released version R2.1 of e-Alert to fix some of the flaws and said another product software update was planned for the end of 2018 to fix the remaining issues. .

In Tuesday’s notice, Philips said it reported the latest e-Alert vulnerability publicly and to appropriate government agencies, including CISA, as part of the company’s voluntary initiative. Coordinated Vulnerability Disclosure Program “to help identify, address, and disclose potential vulnerabilities in a safe and effective manner.”

Comments are closed.