Philips Patient Information Center iX (PIC iX) and Efficia CM Series Vulnerabilities

Three vulnerabilities in Patient Information Center iX (PIC iX) and Efficia CM Series products

Threat ID:: CC-3980
Threat Severity:: Low
Published:: 22 November 2021 12:28 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Three vulnerabilities in Patient Information Center iX (PIC iX) and Efficia CM Series products

Affected platforms

The following platforms are known to be affected:

Versions: B.02, C.02, & C.03, (Within the US - Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03)

Philips IntelliVue Information Centre iX

Versions: A.01 to C.0x and 4.0

Philips Efficia CM Series Patient Monitors

Threat details

Introduction

Philips Healthcare has released details of three vulnerabilities in the Patient Information Center iX (PIC iX) and the Efficia CM Series. These vulnerabilities involve issues with improper input validation, use of hard-coded cryptographic key, and use of a broken or risky cryptographic algorithm. An attacker could exploit the vulnerabilities to gain unauthorised access to data (including patient data) and create a denial of service resulting in temporary interruption of viewing physiological data at the central station.

Threat updates

Date	Update
13 Jan 2023	Philips has moved the release of remediation advice for CVE-2021-43552 and CVE-2021-43550 Philips now plans to remediate CVE-2021-43552 and CVE-2021-43550 by end of Q2 of 2023 instead of Q4 of 2022. This article has been updated to reflect this change.

Remediation advice

Philips has confirmed that updates to all affected products will be released on the following schedule:

Q3 2021: Remediation for CVE-2021-43548 in PIC iX C.03.06
Q2 2023: Remediation for CVE-2021-43552 and CVE-2021-43550

As an interim mitigation, Philips recommends the following actions outlined in the Philips Patient Monitoring System Security for Clinical Networks guide at InCenter:

Philips provided hardware ships with Bitlocker Drive Encryption enabled by default to protect the data at rest stored on the system. It should not be disabled.
Philips recommends customers follow NIST SP 800-88 for media sanitisation prior to system disposal.
By default, patient information is not included in archives. When exporting archives that contain patient information, users should store information securely with strong access controls.
The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Affected organisations should review the Philips Patient Information Center iX (PIC iX) and Efficia CM Series (2021 November 18) security advisory and contact their relevant suppliers to apply updates as they become available.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2021-43548

Patient Information Center iX (PIC iX) Versions C.02 and C.03 receives input or data, but does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.

Status Published

CVE-2021-43550

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information, which affects the communications between Patient Information Center iX (PIC iX) Versions C.02 and C.03 and Efficia CM Series Revisions A.01 to C.0x and 4.0.

Status Published

CVE-2021-43552

The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from the Patient Information Center iX (PIC iX) Versions B.02, C.02, and C.03.

Last edited: 13 January 2023 12:21 pm