The latest medical devices present a wonderful utilisation of technology for patient monitoring and treatments. However, such devices are also threatening patients privacy and security due to vulnerabilities. Recently, ICS-CERT has discovered various cybersecurity vulnerabilities in the Philips IntelliSpace System. These vulnerabilities allow attackers to access the system and steal patient information.
Vulnerabilities In Philips IntelliSpace System (ISCV)
This week, the Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) discovered some cybersecurity vulnerabilities in the Philips IntelliSpace Cardiovascular System (ISCV). They disclosed their findings in an alert they released on August 14, 2018.
Reportedly, two different vulnerabilities were found in the Philips IntelliSpace System that could allow hackers to steal patient information. Explaining how these flaws could trigger attacks, the report states that exploiting these vulnerabilities could allow attackers to execute arbitrary code, obtain local administrative access, and escalate privileges.
As described in their report,
“Successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the ISCV/Xcelera server and execute arbitrary code.”
ICS-CERT identified these vulnerabilities as Improper Privilege Management (CVE-2018-14787) and Unquoted Search Path or Element (CVE-2018-14789). Fortunately, none of these vulnerabilities are critical. CVE-2018-14787 has a base score of 7.3 (medium to high severity level) requires a low skill level to exploit. This is because for exploiting this flaw, an attacker first needs to exploit some other vulnerability or a legit user status to access the system software.
Philips Will Patch The Flaw In Upcoming Versions
According to ICS-CERT, the reported vulnerabilities affect IntelliSpace Cardiovascular, Version 3.1, and the Xcelera Version 4.1, or their respective earlier versions. Fortunately, both the flaws remain unexploited. Philips has also reported the matter to the National Cybersecurity and Communications Integration Center (NCCIC).
With regards to patching these vulnerabilities, for earlier versions of ISCV and Xcelera, Philips suggests upgrading to the latest ISCV 3.1. Whereas, for other vulnerabilities in the latest software versions, Philips will release patches in the upcoming ISCV 3.2, scheduled for release in October 2018. In the meantime Philips recommends limiting network access to the systems, reviewing and restricting files permissions, and using secure VPNs for remote access.
Security vulnerabilities in medical software isn’t new. A few days ago, critical security vulnerabilities were discovered in OpenEMR that put 90 million records at the risk of hacking. Perhaps, the hospital and relevant medical facilities need to stay vigilant to ensure patients’ data privacy and security.