Dive Brief:
- Philips Healthcare's e-Alert magnetic resonance imaging (MRI) monitoring software has a security vulnerability that could potentially allow an unauthorized user to remotely shut down the system, according to a medical advisory issued on Tuesday by the U.S. Cybersecurity and Infrastructure Security Agency.
- CISA warned that software versions 2.7 and prior releases of Philips' e-Alert do not perform any authentication for critical system functionality in the event that the vulnerability is successfully exploited by a bad actor who has access to a healthcare facility's network. Philips plans a new release to remediate the vulnerability before July 2022, CISA said. In the meantime, the cyber agency noted that the company recommends "only authorized personnel should be permitted to access the network and the devices connected to it," among other actions.
- The vulnerability, discovered by a senior cybersecurity analyst at St. Jude Children's Research Hospital and reported to Philips, has a Common Vulnerability Scoring System score of 6.5 out of 10 (medium severity). "If exploited, it is possible for unauthorized users to issue an unauthenticated remote shutdown command, leading to a denial of service of the e-Alert hardware solution," Philips said in an emailed statement. However, at this time, the company "has received no reports of exploitation of this vulnerability."
Dive Insight:
The Philips e-Alert uses sensors to monitor and rapidly respond to potential issues with MRI machines, including cooled water supply, helium level and humidity, which are critical to the proper performance of the medical imaging systems. However, if the vulnerability is successfully exploited, the software does not perform any authentication for critical system functionality.
Philips on Tuesday issued its own security advisory, stating that the company "has identified one potential vulnerability that may allow an attacker within the same subnet to impact system availability" and that the vulnerability "may allow attackers of low skill to issue an unauthenticated remote shutdown command, leading to a denial of service of the e-Alert hardware solution."
Because the e-Alert hardware solution is not a medical device, Philips contends there is no risk to patient safety. However, unauthorized users could execute a remote shutdown command, resulting in denial of service for the e-Alert system and potentially downtime for an MRI machine.
To restore operation of e-Alert in the case of unauthorized shutdown from the vulnerability, Philips said the "hardware system needs to be manually powered on again," according to Philips' security advisory.
Earlier this month, Philips announced it expanded its medical device cybersecurity services to "provide benefits for healthcare providers including increased uptime, clinical performance, and advanced security to help protect access to their clinical solutions and medical devices."
However, this is not the first time that CISA has issued an advisory about serious cybersecurity flaws found in Philips e-Alert.
CISA in 2018 put out an advisory detailing nine cyber vulnerabilities that "may allow attackers to provide unexpected input into the application, execute arbitrary code, display unit information, or potentially cause e-Alert to crash."
At the time, Philips released e-Alert version R2.1 to remediate some of the flaws and said another product software update was planned for the end of 2018 to address the remaining issues.
In Tuesday's advisory, Philips said it reported the latest e-Alert vulnerability publicly and to the appropriate government agencies, including CISA, as part of the company's voluntary Coordinated Vulnerability Disclosure (CVD) program "to help identify, address and disclose potential vulnerabilities in a safe and effective manner."