25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors

Posted By on Aug 21, 2020

Three low- to medium-severity vulnerabilities have been identified in Philips SureSigns VS4 vital signs monitors. If exploited, an attacker could gain access to administrative controls and system configurations and alter settings to send sensitive patient data to a remote destination.

The vulnerabilities were identified by the Cleveland Clinic, which reported the flaws to Philips. Philips is unaware of any public exploits for the vulnerabilities and no reports have been received to date to indicate any of the vulnerabilities have been exploited.

The flaws have been categorized as improper input validation (CWE-20), Improper access control (CWE-284), and improper authentication (CWE-287).

Philips SureSigns VS4 receives input or data, but there is a lack of input validation controls to check the input has the properties to allow the data to be processed safely and correctly. This vulnerability is tracked as CVE-2020-16237 and has been assigned a CVSS V3 base score of 2.1 out of 10.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

When a user claims to have a given identity, there are insufficient checks performed to prove that the identity of the individual is correct during authentication. This vulnerability is tracked as CVE-2020-16239 and has been assigned a CVSS V3 base score of 4.9 out of 10.

The highest severity flaw is due to insufficient access controls, which do not restrict, or incorrectly restrict, access to a resource from an unauthorized individual. Exploitation of the vulnerability could allow access to be gained to administrative controls and system configurations. This flaw is tracked as CVE-2020-16241 and has been assigned a CVSS V3 base score of 6.3 out of 10.

A security advisory about the flaws has now been released under Philips’ Coordinated Vulnerability Disclosure Policy, and mitigations have been suggested to reduce the potential for exploitation.

Philips recommends replacing Philips SureSigns VS4 devices with a newer technology. In the meantime, customers have been advised to change all system passwords on their devices and to use unique passwords for each device and to physically secure the devices when not in use.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist