25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs

Posted By on Nov 15, 2019

A vulnerability has been identified in the Philips IntelliBridge EC40/80 hub which could allow an attacker to gain access to the hub and execute software, modify files, change the system configuration, and gain access to identifiable patient information.

Philips IntelliBridge EC40/80 hubs are used to transfer medical device data from one format to another, based on set specifications. The hub does not alter the settings or parameters of any of the medical devices to which it connects.

The vulnerability could be exploited by an attacker to capture and replay a session and gain access to the hub. The flaw is due to the SSH server running on the affected products being configured to allow weak ciphers.

The vulnerability would only require a low level of skill to exploit, but in order to exploit the flaw an attacker would need to have network access. The flaw – CVE-2019-18241 – has a CVSS v3 base score of 6.3 out of 10 – Medium severity.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The flaw was reported to Philips by New York-Presbyterian Hospital’s Medical Technology Solutions team, and under its responsible vulnerability disclosure policy, Philips reported the vulnerability to the DHS Cybersecurity Infrastructure Security Agency.

The vulnerability is present in all versions of the EC40 and EC80 hubs and will be addressed in a new release, which will not be available until the end of Q3, 2020.

Until Philips issues the new release, users of the affected hubs have been advised to implement the following mitigation measures to reduce the potential for exploitation.

  1. Only operate the hub within Philips authorized specifications, using Philips approved software, configurations, system services, and security configurations
  2. There is no clinical requirement for these devices to communicate outside the Philips clinical network. The devices should be logically or physically separated from the hospital network.
  3. Users should block access to the SSH port. SSH is not meant to be used for clinical purposes, only for product support.
  4. Use a long and complex SSH password and make sure password distribution is controlled to ensure SSH is used via physical access only.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist