Table of Contents
CISA has warned that a Philips product has a cyber vulnerability in its software. The item in question is the e-Alert MRI (magnetic resonance imaging) software. This security flaw is believed to allow an unauthorized user to shut down the whole system remotely, and it was discovered by a medical advisory team reporting to the US Cybersecurity and Infrastructure Security Agency.
Which Versions of the Software are Affected?
According to CISA, versions 2.7 of the software and earlier will not perform authentication to allow a user to access critical system functions. If an individual has access to a healthcare facility network, they could in theory access the system.
Philips has been made aware of this security flaw and plans to create a new release to solve the issue by July 2022. For the time being, it is recommended that only authorized users should access the devices connected to the network.
Discovery of the Security Vulnerability
The flaw was found by one of St Jude Children’s Research Hospital’s senior cybersecurity analysts. The analyst reported the issue to Philips, revealing it has a ‘medium security score’ (6.5 out of 10) on the Common Vulnerability Scoring System.
In an email statement, Philips said that unauthorized users could potentially access the remote shutdown command which would switch off the e-Alert hardware service. So far the company claims they have not had any reports of such exploitation.
MRI Machine Sensors
The e-Alert software runs sensors which can monitor potential issues and respond immediately to them. Examples include humidity, helium levels and cooled water supply temperature and levels. These are vitally important to the functioning of the MRI system in order for it to work properly.
If the vulnerability gets exploited successfully, the software will be able to change the settings or close everything down without asking for any type of authentication first.
According to Philips, they issued their own security advisory on Tuesday this week, revealing the company has identified a vulnerability allowing a potential attacker in the subnet impact the availability of the system and also that this flaw in the software might allow even low-skilled cyber-attackers to remotely shutdown the system without being asked to authenticate themselves. This would deny service of the e-Alert system.
Is Patient Safety Affected by the Security Flaw?
Since Philips’ e-Alert hardware is not technically a medical device, the company claims there is no risk at all to patient safety.
However, users can potentially issue a remote shutdown command without authorization or authentication, which would result in the denial of e-Alert system service and therefore cause MRI machine downtime.
Philips says the hardware system would have to be manually switched back on to restore operation of e-Alert if an unauthorized shutdown took place.
The company announced earlier in the month they want to expand their medical device cybersecurity to improve the service for healthcare providers, including improved clinical performance, better uptime figures and advanced security so clinical solutions and medical devices can be better protected from unauthorized access.
Back in 2018, CISA issued an advisory about potential flaws discovered in the Philips e-Alert software. There were 9 vulnerabilities in total which were believed to allow potential cyber-criminals to access the app, execute code, or display information about the unit, as well as potentially cause the software to crash.
Response from Philips
Philips responded by releasing version R2.1 of e-Alert to correct some flaws and said another update would be forthcoming in late 2018. Philips is aware of this new threat and says they will work on identifying and addressing the security flaws and disclose vulnerabilities when they are found.