Philips reported various vulnerabilities in its Brilliance CT scanners to the National Cybersecurity and Communications Integration Center, the center wrote in a May 3 advisory.
The NCCIC, part of the U.S. Department of Homeland Security, serves as a national hub for cybersecurity information and technical expertise, and operates a 24/7 analysis and incident response center.
Here are five things to know about the vulnerabilities, which NCCIC wrote have the potential to affect healthcare and public health sectors worldwide.
1. The vulnerabilities in Philips' CT scanners include potential execution with unnecessary privileges, potential exposure of resources to wrong sphere and potential use of hard-coded credentials. These vulnerabilities require a "low skill level to exploit," according to NCCIC.
2. There are no known public exploits targeting these vulnerabilities. However, "successful exploitation of these vulnerabilities may allow an attacker to attain elevated privileges and access unauthorized system resources," such as allowing an attacker to view or update files with patient health information.
3. NCCIC noted users should operate Philips' Brilliance CT products within the company's authorized specifications. Philips recommended users implement a comprehensive strategy to protect systems from internal and external security threats, such as restricting physical access to scanners.
4. Philips remediated hard-coded credential vulnerabilities for select Brilliance CT scanners, and plans to further assess options for remediation for future product upgrades across the affected products.
5. In an emailed statement to Becker's Hospital Review May 11, Philips wrote, "Guided by Philips' Responsible Disclosure Policy for the awareness and remediation of identified product security vulnerabilities, the company is proactively issuing an advisory concerning a potential, low-risk security vulnerability."
"Philips has confirmed that the potential security vulnerability, if successfully exploited, may allow an attacker to gain unauthorized access to elevated privileges and/or restricted system resources and information. This vulnerability is not exploitable remotely and cannot be exploited without user interaction, and an attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit," the statement continued.