Skip to main content
close search
site logo
Dive Brief

McKesson, Philips devices flagged by DHS for cyber vulnerabilities

Published Aug. 30, 2019
By
Contributor
An illustration of cyber security, showing a padlock over a circuit board.
Getty

Dive Brief:

  • Products sold by Philips and a McKesson joint venture were the subjects of Department of Homeland Security cybersecurity alerts issued Thursday.

  • The McKesson alert, which relates to a cardiovascular IT system, is the more serious of the two notices, scoring 7.8 out of 10 on the scale used to assess cybersecurity vulnerabilities. That score reflects the potential for a low-skilled hacker to get the system to execute code.

  • The Philips notice, scored at a 3.0, covers the potential for someone on the same local subnetwork as an old ultrasound system to access images.

Dive Insight:

McKesson’s technology, which is now sold by the Change Healthcare joint venture it created in 2016, enables cardiologists to gather data from multiple sources into single cardiac files for every patient and make the information available to the entire care team. 

Through the vulnerability, attackers can “execute unauthorized arbitrary code.” The alert does not unpack the implications of that phrase in the context of the cardiology system. Generally speaking, arbitrary code may enable hackers to run a wide range of commands, including those that give them access to files stored on the systems.

Multiple generations of cardiology IT systems sold by McKesson and Change Healthcare suffer from the vulnerability. Change Healthcare is patching systems to address the weakness. In the meantime, users are advised to keep the devices behind firewalls and disable unnecessary accounts.

The second cybersecurity alert issued by DHS details a problem with Philips HDI 4000 ultrasound systems that run Windows 2000 and other old operating systems. The exploit enables an attacker on the local subnetwork to view images.

Philips stopped supporting the devices at the end of 2013. As such, the vulnerability will not be fixed. DHS recommends users consider buying newer ultrasound equipment that runs on a still-supported operating system. Failing that, users are advised to ensure only authorized personnel have access to the system and to disable unnecessary accounts.    

The alert is the third issued about a Philips product this year after notices regarding its Tasy Electronic Medical Record and Holter 2010 Plus. The Change Healthcare alert is the second received by either it or McKesson, the previous one being issued last October.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell