Cybersecurity: PACS CISA Homeland Security Advisory Issued for Medical Systems
The Department of Homeland Security’s CISA has issued an advisory for the Worldwide Infrastructure Healthcare and Public Health sectors regarding Philips Vue PACS.
The ICS Medical Advisory, ICSMA-21-187-01, discloses 15 vulnerabilities discovered in the Philips Clinical Collaboration Platform Portal, also known as Vue PACS. Four of these have been ranked as a 9.8 on the CVSS v3 base scale in severity. Impacted products at this time include Vue PACS (Vue Picture Archiving and Communication Systems), Vue MyVue, VueSpeech, and Vue Motion.
According to the release, vulnerabilities include “Cleartext Transmission of Sensitive Information, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Authentication, Improper Initialization, Use of a Broken or Risky Cryptographic Algorithm, Protection Mechanism Failure, Use of a Key Past its Expiration Date, Insecure Default Initialization of Resource, Improper Handling of Unicode Encoding, Insufficiently Protected Credentials, Data Integrity Issues, Cross-site Scripting, Improper Neutralization, and Use of Obsolete Function.”
The advisory evaluates that if exploited, risks from these vulnerabilities can “allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.”
At time of writing there are hotfix patches available for some, but not all, of these discovered vulnerabilities. CISA recommends contacting support and provides information within the advisory for this partial remediation.
Full remediation of the disclosed vulnerabilities is anticipated for release in the first quarter of 2022, at which time a full upgrade to Version 15 will be offered by Philips the affected products.
The Q1 2022 release is expected to remediate the remaining CWEs – CWE-665, CWE-327, CWE-710 (Speech); CWE-665, CWE-327, CWE-710 (MyVue); and
CWE-79, CWE-693, CWE-665, CWE-1188, CWE-327, CWE-176, CWE-522, CWE-710, CWE-707 (PACS).
In the interim, CISA advises taking the following precautions:
1. minimize network exposure for all control system devices
2. ensure all control system devices are not accessible from the Internet
3. use firewalls to segment control system networks and remote devices
4. use virtual private networks (VPNs), if necessary, to isolate from networks.
If a VPN is required, CISA urges companies to recognize “VPN is only as secure as the connected devices.”
Additionally, CISA reminds organizations potentially impacted to “perform proper impact analysis and risk assessment prior to deploying defensive measures.”
The advisory may be found at https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01
The implications reach beyond PACS such as into adjacent devices deployed in a network as well as many systems that may not consider themselves PACS directly but have similar structural architecture. It is suggested that all medical device companies, HDOs, third-party vendors, and others in the healthcare industry individually take these vulnerabilities into consideration in their own risk analysis and evaluate each for relevance to their own specific situation.