Last week, the Cybersecurity and Infrastructure Security Agency said a series of remotely exploitable vulnerabilities affect versions of Philips Vue Visual Storage and Communication System prior to 12.2.8.410. They could allow cybercriminals to view or modify data, access the system, execute code, install unauthorized software, or compromise data integrity or system availability.
On Tuesday, after examining some of the disclosed vulnerabilities, security researchers from Cyble, which develops threat intelligence tools using artificial intelligence, said the United States and Brazil were the two countries most at risk of attack.
WHY IT MATTERS
CISA said in its announcement that TAS Health, a division of Te Whatu Ora in New Zealand, and a system administrator from Dutch company Verweijen ICT, a cloud and networking service for small and medium-sized businesses, reported the vulnerabilities.
The threats that Philips Vue PACS faces are:
- Write beyond the limit.
- De-serialize unreliable data.
- Uncontrolled resource consumption.
- Improper privilege management.
- Use default credentials.
- Require weak password.
- Disclosing sensitive information to unauthorized persons.
In a statement on July 18, Philips said it had not received “any reports of harm to patients, exploitation of these issues, or incidents during clinical use that we could link to these issues.”
Meanwhile, Cyble said in a July 23 report that now that the threat of exploitation is widely known, the healthcare industry is in even more danger.
“The medical and public health sectors rely heavily on [PACs] due to the nature of their operations in this environment; at the same time, activities carried out through PACs become lucrative targets.”
Specifically, the Philips VUE PAC vulnerability, combined with the individual system’s exposure to the internet, could be quickly exploited by attackers to compromise data, violate patient privacy, or undermine healthcare facilities and patient safety and care.
The company points out that the United States and Brazil are the countries with the highest number of Internet-enabled systems.
Philips recommends the following mitigations in its customer security advisory:
For vulnerabilities CVE-2020-36518, CVE-2020-11113, CVE-2020-35728, CVE-2021-20190, CVE-2020-14061, CVE-2020-10673, CVE-2019-12814, CVE-2017-17485, CVE-2023-40223 and CVE-2023-40159, Philips recommends upgrading to the latest Vue PACS version 12.2.8.400* released in August 2023.
For CVE-2021-28165, Philips recommends configuring the Vue PACS environment according to D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips also recommends upgrading to Vue PACS version 12.2.8.410* released in October 2023.
For CVE-2023-40704 and CVE-2023-40539, Philips recommends configuring the Vue PACS environment according to 8G7607 – Vue PACS Rev G User Guide available on Incenter.
CISA shared this information in an advisory sent to US healthcare organizations, reminding them to conduct appropriate impact analysis and risk assessments before “deploying defensive measures.”
Philips has contacted Healthcare IT News to add that it collaborates across industries and actively encourages vulnerability discovery and disclosure.
“Most of these potential issues were addressed with the August 2023 Vue PACS version 12.2.8.400 software release, and one issue was addressed with the October 2023 Vue PACS version 12.2.8.410 release. Additionally, Philips reported this vulnerability through our publicly accessible, Voluntary Coordinated Vulnerability Disclosure program. Philips’ CVD program, established in 2014, encourages security researchers and customers to test for vulnerabilities, and we proactively and voluntarily share the results with CISA for disclosure,” a Philips spokesperson said via email on Wednesday.
THE BIGGER TREND
Hospitals that manage, store and transmit digital medical images and reports – X-rays, MRIs, CT scans – have historically been vulnerable to cyberattacks.
In early 2023, agencies warned US healthcare organizations that Clop ransomware was targeting medical imaging.
According to the Healthcare Cybersecurity Coordination Center, Clop attackers infected image files, sent them to facilities, and requested appointments in the hopes that the virus-laden file would be opened.
ON PROFILE
“Under certain conditions, the potential security vulnerabilities identified by Philips could impact or jeopardize patient confidentiality, system integrity, and/or system availability,” Philips said in its announcement.
“Regular patching and updating of PACS are essential steps that need to be taken on an ongoing basis to verify the security and integrity of healthcare operations, protect patient information, and maintain the overall resilience of healthcare services,” Cyble researchers said.
This article was updated on July 24, 2024, to include commentary from Philips.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
