Security flaws detected in Philips Vue PACS imaging equipment used in healthcare

Several security vulnerabilities have been identified in Philips Vue PACS equipment deployed globally in the healthcare and public health sectors. These vulnerabilities can be exploited remotely and allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity, negatively impacting the confidentiality, integrity or availability of the system.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, released an Industrial Controls Systems (ICS) Medical Advisory detailing several vulnerabilities in multiple Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS) products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

Philips reported the presence of the vulnerabilities to CISA, and said that its Vue PACS versions 12.2.x.x and prior, Vue MyVue versions 12.2.x.x and prior, Vue Speech versions 12.2.x.x and prior, and Vue Motion versions 12.2.1.5 and prior are affected. 

The vulnerabilities detected in the Philips Vue PACS equipment include cleartext transmission of sensitive information, improper restriction of operations within the bounds of a memory buffer, improper input validation, improper authentication, improper initialization, and use of a broken or risky cryptographic algorithm. 

Philips also identified the presence of security flaws that allow protection mechanism failure, use of a key past its expiration date, insecure default initialization of resource, improper handling of unicode encoding, insufficiently protected credentials, data integrity issues, cross-site scripting, improper neutralization, and use of obsolete function.

The Philips Vue PACS (Picture Archiving and Communication System) is an image-management software that provides scalable local and wide area PACS solutions for hospitals and related institutions. The technology enables hospital systems to archive, distribute, display and retrieve images and data from all hospital modalities and information systems. 

Philips’ Enterprise Imaging informatics portfolio supports hospitals and imaging centers as they seek to connect and optimize performance, improving the patient experience, health outcomes and staff experience, while lowering the cost of care. Philips Vue PACS also integrates with Electronic Medical Records (EMRs), Radiology Information Systems/Hospital Information Systems (RIS/HIS), and Health Level Seven (HL7) brokers to ingest patient demographic and clinical information. The system also connects to radiology modalities to ingest clinical images from various hospital departments. 

To mitigate the risks arising from the Vue PACS vulnerabilities, the Amsterdam, Netherlands-based company has advised its users to configure the Vue PACS environment per D00076344 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips also recommended that users upgrade their devices to the latest available versions. Since releases are subject to country specific regulations, users with questions regarding their specific Philips Vue PACS installations should connect with the company.

The ongoing COVID-19 pandemic and increased digital transformation in the connected healthcare sector has led to greater cybersecurity concerns, raising the requirement to protect and secure all components of the supply chain, including and prioritizing data from personnel and patients. 

The changing landscape in the healthcare sector has led to greater adoption of regulations, standards and guidelines in various countries and at a regional level, for the protection of information systems, medical information, and to meet cybersecurity requirements for network-connected medical devices, critical infrastructure protection, and privacy protection. 

Healthcare organizations must also adopt zero trust architecture to better defend their networks, systems, and devices from an ongoing barrage of attack techniques, recent research from Cynerio pointed out. The zero trust architecture enables healthcare organizations to significantly reduce the risks of ransomware, outdated vendor firmware, and unsecured services by configuring policies that block unnecessary communications with healthcare IoT devices, while doing away with the traditional security perimeter, assuming that every user and device on the network could potentially be malicious.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.