Vulnerabilities Identified in Patient Monitoring Software

Federal authorities and medical device maker Philips have issued security alerts about security vulnerabilities in some of the company’s patient monitoring software. They have been identified 8 low to moderate severity vulnerabilities in Philips patient monitoring devices.

Exploitation of these vulnerabilities could escape from the restricted environment with limited privileges.

Vulnerabilities were found in certain versions of the Philips IntelliVue Patient Monitor system, the Patient Information Center iX, or PIC iX, software and PerformanceBridge Focal Point.

Vulnerabilities:

The vulnerabilities require a low skill level to exploit. Successful exploitation of these vulnerabilities could result in unauthorized access, information disclosure, interrupted monitoring and collection of access information and/or patient data.

To exploit the vulnerabilities, an attacker would need to gain physical access to surveillance stations and patient monitors or access to the medical device network.

The Vulnerabilities:

  1. CVE-2020-16212 – CVSS 6.8/10 exposed to wrong control sphere, allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges.
  2. CVE-2020-16216 – CVSS 6.5/10 product does not validate or incorrectly validates input. Exploitation could trigger a denial of service condition through a system restart.
  3. CVE-2020-16224 – CVSS 6.5/10 parsing a formatted message, does not handle a length field that is inconsistent with the actual length. This could trigger a restart of the surveillance station resulting in interrupted monitoring.
  4. CVE-2020-16228 – CVSS 6.0/10 software incorrectly checks the revocation status of a certificate, potentially allowing a compromised certificate to be used.
  5. CVE-2020-16222 – CVSS 5.0/10 insufficient authentication to prove the identity of particular individual, potentially allowing unauthorized access to data.
  6. CVE-2020-16214 – CVSS 4.2/10 since special elements are not correctly neutralized, they could be interpreted as a command when the CSV file is opened using spreadsheet software.
  7. CVE-2020-16218 – CVSS 3.5/10 product incorrectly neutralizes user-controllable input before it is placed in output. Exploitation could give an attacker read-only access to patient data.
  8. CVE-2020-16220 – CVSS 3.5/10 Product does not validate input to ensure it complies with the syntax, which could be exploited to cause the service to crash.

Philips reported the flaws to CISA and other government agencies under the company’s coordinated vulnerability disclosure policy.

Recommendations:

  • Physically or logically isolate the Philips patient monitoring network away from the hospital LAN and use a firewall or routers that restrict access in and out of the patient monitoring network to only necessary ports and IP addresses.
  • When enrolling new devices using SCEP, enter a unique challenge password.
  • Block remote access to PIC iX servers if not required. Only grant remote access to PIC iX servers on a must-have basis.
  • Physically secure the devices to prevent unauthorized login attempts and ensure servers are located in locked data centers.