security main L

Please find our Security Advisories here

Security Advisories

Philips Engage Software (2022 January 6)

Publication Date: 2022 January 6

Update Date: 2022 January 6

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Engage Software (Version 6.2.1 and prior).

 

Philips has already released and deployed to all customers an updated version (6.2.2) on September 28, 2021 in which the vulnerability was fixed. The current version of this software is version 6.2.3. which was released November 25, 2021.

 

The identified issue that has been corrected is a low-severity vulnerability (CVSS v3 score of 2.6 on a scale of 10) regarding improper access control (CWE-284). If exploited, this issue may allow an authenticated user to potentially view business contact information.

 

This issue requires a medium skill level and authenticated user login credentials to exploit.

 

At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this problem. Engage is a patient portal and medical device software under regulations in the markets where it is offered. Engage is used solely to support the self-management of patients and their care network and is not meant to be used for therapeutic or diagnostic purposes.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

 

Users with questions regarding their specific Philips Engage software are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Cybersecurity & Infrastructure Security Agency (CISA) Advisory:

https://www.cisa.gov/uscert/ics/advisories/icsma-22-006-01

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Customers with specific questions regarding any security advisory or their Philips products are asked to send an e-mail to productsecurity@philips.com, contact their Philips Service Representative or contact their regional Philips Service Support.

 

Any media inquiries should be directed to:


Mario Fante, mario.fante@philips.com
or (outside N. America):
Steve Klink, steve.klink@philips.com

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.