Share this article on:
The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data.
Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10.
The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS V3 rating of 6.5 out of 10.
ICS-CERT is unaware of any exploits that are publicly available that could be used to exploit the vulnerabilities, although healthcare organizations have been advised to implement mitigations. Until a new DWP is released – which is expected later this month – healthcare organizations have been advised to ensure network security best practices are implemented and port 1433 is blocked if a separate SQL server is not being used.
Best practices include minimizing network exposure by ensuring the devices/systems are not accessible from the Internet, locating the systems/devices behind firewalls, and isolating them from the business network. If remote access is required, systems should only be accessed via a VPN that has been updated to the latest version.
Phillips says the vulnerable versions are 220.127.116.113 and 18.104.22.16869. Phillips will be releasing a new version of DWP (22.214.171.12488) for users of DWP version 126.96.36.19969, which will update the authentication method and remove hard-coded password vulnerabilities. DWP version 188.8.131.523 will be updated to change and fully encrypt stored passwords.
Publicly Available Exploits Exist for Siemens CT/PET System Vulnerabilities
The ICS-CERT warning comes just a few days after a warning about four serious vulnerabilities in Siemens CT and PET systems that could be remotely exploited to gain access to the devices. In that case, exploits for the vulnerabilities are publicly available. The vulnerabilities have existed for at least two years and affect the Windows 7 OS on which the Siemens CT/PET systems are based.
With hackers increasingly targeting healthcare organizations to gain access to medical data and extort money, it is essential that medical device and app developers conduct more extensive security tests to ensure vulnerabilities are identified and corrected before the devices come to market. Post market vulnerability testing is also essential to make sure the devices remain secure throughout their life cycles.