A series of remotely exploitable vulnerabilities affect Philips’ Vue Picture Archiving and Communication Systems versions prior to 12.2. 8.410, the Cybersecurity and Infrastructure Security Agency said last week. They could allow cybercriminals to view or modify data, gain system access, execute code, install unauthorized software or otherwise affect data integrity and system availability.
Security researchers at Cyble, a company that develops artificial intelligence-based threat intelligence tools, said Tuesday after examining several of the disclosed vulnerabilities that the US and Brazil are the two countries with the greatest exposure.
WHY IT MATTERS
CISA said in its advisory that TAS Health, part of New Zealand’s Te Whatu Ora, and a systems administrator from the Dutch company Verweijen ICT, a cloud and network service for small and medium-sized businesses, reported the vulnerabilities.
The threats to Philips Vue PACS are:
- Writing beyond borders.
- Deserialization of untrusted data.
- Uncontrolled consumption of resources.
- Incorrect privilege management.
- Use of default login details.
- Weak password requirements.
- Exposure of sensitive information to unauthorized persons.
Philips said in a statement on July 18 that it “has not received any reports of patient harm, abuse of these issues, or clinical use incidents that we could link to these issues.”
Meanwhile, Cyble said in its July 23 report report, Now that the threat of exploitation is well known, the healthcare sector is at even greater risk.
“Healthcare and public health services are heavily dependent on PACs due to the nature of their activities in this environment. At the same time, activities conducted through PACs are becoming a lucrative target.”
Specifically, the vulnerabilities of the Philips VUE PACs combined with the exposure of an individual system to the Internet through TAs could be quickly exploited by malicious actors for data breaches that compromise patient privacy or undermine the safety and care of healthcare institutions and patients.
The company said the US and Brazil are the countries with the largest number of internet-connected systems.
Philips has recommended the following measures in its security advice to customers:
For the vulnerabilities CVE-2020-36518, CVE-2020-11113, CVE-2020-35728, CVE-2021-20190, CVE-2020-14061, CVE-2020-10673, CVE-2019-12814, CVE-2017-17485, CVE-2023-40223, and CVE-2023-40159, Philips recommends upgrading to the latest Vue PACS version 12.2. 8.400*, released in August 2023.
For CVE-2021-28165, Philips recommends configuring the Vue PACS environment according to D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips also recommends upgrading to Vue PACS version 12.2.8.410* released in October 2023.
For CVE-2023-40704 and CVE-2023-40539, Philips recommends configuring the Vue PACS environment according to 8G7607 – Vue PACS User Guide Rev G, available on Incenter.
CISA shared this information in its advisory to US healthcare organizations, reminding them to conduct proper impact analysis and risk assessment before “deploying defensive measures.”
THE BIGGER TREND
Hospitals that manage, store and transmit digital medical images and reports – X-rays, MRIs, CT scans – have been vulnerable to cyber threats before.
In early 2023, authorities warned US healthcare providers that the Clop ransomware was targeting medical images.
According to the Health Sector Cybersecurity Coordination Center, Clop actors infected image files, sent them to institutions, and requested medical appointments in the hopes that the virus file would be opened.
ON THE RECORD
“Under specific circumstances, the potential security vulnerabilities identified by Philips could impact or compromise the confidentiality of patient data, system integrity and/or system availability,” Philips said in its advisory.
“Regular patches and updates of PACS are essential steps that must be taken on an ongoing basis to verify the security and integrity of healthcare operations, protect patient data, and maintain the overall resilience of healthcare services,” the Cyble researchers said.
Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.