HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory over vulnerabilities affecting certain Phillips IntelliVue Patient and Avalon Fetal monitors.

Three vulnerabilities have been identified by Phillips and communicated to ICS-CERT: Two have been rated high and one medium.

If successfully exploited, an attacker could read/write memory and introduce a denial of service through a system restart. Exploitation of the flaws could cause a delay in the diagnosis and treatment of patients.

Products Affected:

  • IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M;
  • IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only);
  • Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3

Vulnerabilities:

CWE-0287 – Improper Authentication Vulnerability

After gaining LAN access, an unauthenticated individual could exploit the vulnerability to gain access to the memory (write-what-where) on a chosen device within the same subnet.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

CWE-200 – Information Exposure Vulnerability

Exploitation of this vulnerability could allow an unauthenticated attacker could read the memory of a chosen device within the same subnet.

CWE-121 – Stack-Based Buffer Overload Vulnerability

Exploitation of the vulnerability would expose an echo service, in which an attacker-sent buffer to an attacker-chosen device address within the same subnet is copied to the stack with no boundary checks, hence resulting in stack overflow.

Mitigations:

Phillips disclosed the vulnerabilities under its Co-ordinated Vulnerability Disclosure Policy. An advisory was proactively issued to allow users of the affected products to take action to prevent the vulnerabilities from being exploited.

Phillips notes that the vulnerabilities cannot be exploited remotely and require a malicious actor to first gain LAN access to the medical devices. Also, these vulnerabilities require a considerable degree of technical expertise to exploit.

No public exploits for the vulnerabilities have been detected and there have been no reports of any exploitation of the vulnerabilities in the wild.

Phillips is working on a patch to address all three issues on IntelliVue software Revisions J-M and Avalon software Revisions G.0 and J.3 in 2018. For non-supported versions, Phillips will provide an update-path to get users upgraded to a supported version. Users of unsupported versions should contact their Phillips sales representative for further information.

In the meantime, users of the affected products can take the following steps to reduce the potential for exploitation of the vulnerabilities:

  • IntelliVue Monitors – Follow instructions for use in the Security for Clinical Networks Guide and update to Revision K.2 or newer software.
  • Avalon Fetal Monitors Release G.0 and Release J.3 – Follow the Data Privacy and Network Security Requirements in the installation and service manual.
  • Avalon Fetal Monitors Release F.0 – Follow the instructions as documented in the Rev J.3 Service Guide Data Privacy and Network Security Requirements section.
  • Implement physical security access controls to restrict access to the devices to authorized users, as detailed in the Philips Security for Clinical Networks guide and the IntelliVue Clinical Networks Configuration Guide.
  • Implement logical security access controls to prevent the devices from communicating outside the Phillips clinical network.
  • Locate all vulnerable devices behind firewalls and isolate them from the business network.
  • Ensure the devices are not accessible over the Internet.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.