Publication Date: 2022 January 6
Update Date: 2022 January 6
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Engage Software (Version 6.2.1 and prior).
Philips has already released and deployed to all customers an updated version (6.2.2) on September 28, 2021 in which the vulnerability was fixed. The current version of this software is version 6.2.3. which was released November 25, 2021.
The identified issue that has been corrected is a low-severity vulnerability (CVSS v3 score of 2.6 on a scale of 10) regarding improper access control (CWE-284). If exploited, this issue may allow an authenticated user to potentially view business contact information.
This issue requires a medium skill level and authenticated user login credentials to exploit.
At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this problem. Engage is a patient portal and medical device software under regulations in the markets where it is offered. Engage is used solely to support the self-management of patients and their care network and is not meant to be used for therapeutic or diagnostic purposes.
Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.
Users with questions regarding their specific Philips Engage software are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions
Cybersecurity & Infrastructure Security Agency (CISA) Advisory: