Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure

Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data.

A total of eight security issues were identified. Although they feature severity ratings of medium and low, even low-skilled hackers could exploit them, the Cybersecurity and Infrastructure Security Agency (CISA) warns in a security alert.

“Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data,” CISA says.

The security flaws, which were identified by researchers with ERNW as part of a larger project supervised by Germany’s Federal Office for Information Security (BSI), affect IntelliVue Patient Monitor systems, Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point, which powers remote enablement.

SecurityWeek has learned that the findings of the project, named ManiMed, will be made public in December.

The discovered bugs have been described as improper neutralization of formula elements in a CSV file (CVE-2020-16214), cross-site scripting (CVE-2020-16218), improper authentication (CVE-2020-16222), improper check for certificate revocation (CVE-2020-16228), improper handling of length parameter inconsistency (CVE-2020-16224), improper validation of syntactic correctness of input (CVE-2020-16220), improper input validation (CVE-2020-16216), and exposure of resources to the wrong control sphere (CVE-2020-16212).

Philips has issued an advisory regarding these vulnerabilities, confirming that a low skill level is required for exploitation. The company also explains that an attacker looking to exploit the flaws requires either “physical access to surveillance stations and patient monitors or access to the medical device network.”

“There are no known public exploits available fo ..