To guide our efforts, we have created a global policy to address the evolving nature of security in medical technology, including product feature requirements, security threat assessment and tracking, and compliance with local government standards.
Philips Product Security Status documents have product-specific vulnerability updates and security-related information such as supported anti-virus software, OS security features, and remote service.
Each product has its own table and the products are separated by modality, i.e. Informatics, Ultrasound, Magnetic Resonance, etc. The Status Documents list known software vulnerabilities, the current status, and Recommended Customer Action.
Revised tables are posted regularly with the latest available information.
Manufacturer Disclosure Statement for Medical Device Security
As part of our commitment to product security and customer service, Philips Healthcare supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHI.
Specifically, Philips Healthcare is using the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about its products.
The MDS² contains product specific security information such as:
Maintaining, storing, and transmitting ePHI
Data back-up and removable media capabilities
Installing security patches and anti-virus software
Remote service access
Audit logs of ePHI access including: Viewing; creating, modifying, and deleting records; importing/exporting
The MDS², a universal reporting form which allows Philips Healthcare to supply its customers with model-specific information, is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA), and the Healthcare Information and Management Systems Society (HIMSS).
The form also contains security practice recommendations and explanatory notes from the manufacturer as well as detailed.
Once your request is processed, you will receive an email from GCS Helpdesk with login and passcode information.
Security Advisory & Archive
Website Advisory on Worldwide Ransomware Outbreak (WannaCry, et. al.)
Publication Date: May 20, 2017
Update Date: May 20, 2017
CUSTOMER INFORMATION on Worldwide Outbreak of WannaCry Malware
ADVISORY / GENERAL GUIDANCE
Philips is aware of the current ransomware campaign known as WannaCry (also known as Ransom-WannaCry, WCry, WanaCrypt, and WanaCrypt0r) which has attacked a large number of organizations and over 300,000 victims around the world in approximately 150 countries. The malware encrypts (locks) computers and demands a payment in Bitcoins, according to information shared online by affected institutions. According to Microsoft, ransomware attacks have been observed to use common email phishing tactics with malicious attachments to infect devices. Once launched, the malware can further spread to adjacent systems on a network by exploiting a Windows vulnerability (in SMBv1). Further information on this Windows vulnerability can be found on the Microsoft website at Microsoft (MS) Customer Guidance for WannaCry Attacks.
The vulnerability to this ransomware was identified and a patch was released by Microsoft on March 14, 2017 (MS17-010) for Microsoft supported versions of Windows (including WinVista, WinServer 2008, Win7, WinServer 2008 R2, Win 8.1, WinServer 2012, Win10, WinServer 2012 R2, and WinServer 2016). In further response specific to this ransomware outbreak, Microsoft also has taken extra steps to release updates for versions of Windows not under Microsoft mainstream support (including WinXP, Win8, and WinServer 2003).
Consistent with Philips Product Security Policy, our global network of product security officers and technical support teams are closely monitoring the situation and continue to take appropriate preventative measures. Philips will continue to work with our customer base to address this malware event and drive any product-specific or customer installation-specific preventative measures such as installation of the latest Microsoft Security Patches, Windows vulnerability containment steps, or other Philips-approved countermeasures as required on Philips products.
INTENDED USE ADVISORY
Philips would like to advise our customers that neither use of an email client nor browsing the Internet is part of the intended use of any Philips product covered by this advisory. Philips products that are not listening on SMB ports (137, 138, 139, 445) or RDP port (3389) are not exposed to this Windows vulnerability provided the product is deployed within Philips product specifications and used in accordance with intended use of the product.
Select Philips products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware. The potential for exploitability of any such vulnerability depends on the specific configuration and deployment environment of each product as well as adherence to the intended use of the product.
Preventative measures on Philips products currently affected by this MS Windows vulnerability (listed in the table below) should be implemented in accordance with the steps and countermeasures defined within product-specific service bulletins posted on the Philips InCenter Customer Portal, also available to customers by contacting the local Philips service support team or regional product service support.
Service / Service Bulletin
IS PACS (IntelliSpace Picture Archiving and Communication System):
All Philips IS PACS customers are deployed on Philips managed services. Philips has engaged all IS PACS customers in scheduling full remediation of any potential exposures to the Windows vulnerability exploited by WannaCry.
Philips highly recommends all customers with and without service contracts contact their local service support team or regional product service support to discuss any needed guidance, services, or questions regarding their specific product installations. Supporting documentation is posted on the Philips InCenter Customer Portal. Customers who require further general information on Philips Product Security may contact Philips Product Security at email@example.com.
Note: For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
The items below are offered as general guidance, are for general consideration only, and must be reviewed in alignment with any posted Philips Service Bulletin with Philips service support to ensure all defined testing and verification processes are followed within product specification and regulatory requirements.
Work with Philips services support to identify and review:
Philips products that have been patched to protect against the vulnerability being exploited by the WannaCry ransomware.
Philips products that may still be vulnerable to impact from the WannaCry ransomware.
For Philips products that are potentially vulnerable to the WannaCry ransomware, consider the following options or combination of options (where applicable and in accordance with authorized Philips service):
-Consider blocking SMB and RDP ports per Microsoft guidance.
-Consider disabling SMBv1 on our devices if unable to patch the systems.
-Arrange for Philips service teams to apply any available Philips-approved patches or updates to your system per standard procedures.
Philips is committed to ensuring robust product security resources and support for our healthcare customers, and their patients who rely on them. We continue to engage with the medical device industry, security research community, and government agencies to monitor the situation, respond accordingly, and meet ongoing healthcare cybersecurity challenges.
Philips Xper-IM vulnerability information (14 Jul 2016)
In the second quarter of 2016, Philips was contacted by security researchers regarding potential security vulnerabilities with the Philips Xper-IM Connect system. As part of our Responsible Disclosure policy and processes, Philips has been in collaboration with the security researchers investigating this issue to promptly and transparently address the identified vulnerabilities in the Xper-IM Connect system.
The joint analysis by Philips and the researchers determined that Xper-IM Connect systems running on unsupported Windows XP operating systems and outdated product software were vulnerable to a number of potential exploits, which if implemented, could result in a remote attacker gaining access to an affected system.
The Philips product security team was able to confirm that all of the reported vulnerabilities in the Xper-IM Connect system are remediated by upgrading to the minimum specification of Windows 2008 Server or the recommended specification of Windows 2008 Server R2 and then applying a new product software version (Xper-IM Connect Version 1.5 Service Pack 13). We are providing recommendations and contact information in order to help any affected customers using a potentially affected Xper-IM Connect System address the issue and correct any affected systems as rapidly as possible.
Both Philips and the security researchers contributed to a joint disclosure to the U.S. Department of Homeland Security’s NCCIC/ICS-CERT organization, and was the source for that body’s Medical Device Advisory concerning this issue.
Philips is committed to ensuring the security and integrity of our products. Philips takes this matter very seriously. While any potential or identified security vulnerabilities are a concern, at this time we are not aware of any customers or patients that have been directly affected by this issue.
Philips Healthcare is aware of the Unix “Shellshock” security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).
Philips Healthcare is aware of the SSLv3 POODLE security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).
Philips manufactures, and helps customers maintain, highly complex medical devices and systems. Per policy, only Philips-authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips’ explicit published direction.
Philips Healthcare is aware of the OpenSSL ‘heartbleed’ security vulnerability. The vulnerability (assigned CVE-2014-0160) impacts OpenSSL versions 1.0.1 – 1.0.1f. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. Customers will be notified once a solution is available for any affected product(s).
For our Remote Service solution (PRS) we have reviewed all of our customer facing interfaces and VPN connections to our customer facilities, and can confirm that these are not affected by the Heartbleed issue.
Philips Healthcare and Windows XP End of Support
As part of our continued attention to your security needs, Philips Healthcare wishes to bring to your attention that Microsoft has discontinued support for the Microsoft Windows XP Operating System, following April 8, 2014.
Where feasible, Philips Healthcare has been developing solutions for products running Windows XP to address continuity of protection against known and emerging security threats and vulnerabilities.
To this end, Philips Healthcare will provide product-specific Statements to assist customers. Where applicable, these Product Statements may provide upgrade or field change order information.
Philips Xper-IM vulnerability information (21 Feb 2013)
Philips Healthcare is aware that researchers at a recent cyber-security conference in Florida presented on a security vulnerability in a system component of the Philips Xper Information Management System. This has been investigated by the responsible Philips engineering and product security experts and we expect to provide a software update within a short period of time once the software validation has been completed. Affected customers will be notified directly once this software update is available.
A related concern regarding the disclosure during the conference of service passwords used on Xper IM systems is already being addressed by a Philips Field Change Order (FCO 83000171) which is currently being distributed to all affected customers. The information provided by this FCO also contains instructions to mitigate the above network-based heap overflow vulnerability in the interim.
Customers with specific questions regarding any security advisory and their Philips Healthcare products are asked to may send an e-mail to firstname.lastname@example.org, contact their Philips Service Representative or contact their regional Philips Service Support.
Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.
Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.
By clicking on the link, you will be leaving the official Royal Philips Healthcare ("Philips") website. Any links to third-party websites that may appear on this site are provided only for your convenience and in no way represent any affiliation or endorsement of the information provided on those linked websites. Philips makes no representations or warranties of any kind with regard to any third-party websites or the information contained therein.