Publication Date: 2021 June 29
Update Date: 2022 March 31
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding potential issues related to the certain versions Philips Vue PACS (Picture Archiving and Communications System) software and related products:
- Vue PACS versions 12.2.x.x and prior
- Vue MyVue versions 12.2.x.x and prior
- Vue Speech versions 12.2.x.x and prior
- Vue Motion versions 126.96.36.199 and prior
Philips has identified potential security vulnerabilities that under specific conditions could impact or potentially compromise patient confidentiality, system integrity, and/or system availability. To minimize the potential risk of these vulnerabilities, Philips recommends that users upgrade to the latest Philips Vue PACS software running on Windows Operating System 2019 and enabling security patching procedures for timely security updates.
Philips’ analysis has shown that these issues require a range of low skill to high skill to exploit. In this event, unauthorized users may be able to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information, or potentially cause a system crash.
Philips has identified that some of the affected vulnerabilities could be attacked remotely. Exploits that could target some of the vulnerabilities are known to be publicly available.
To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue. It is unlikely that this potential vulnerability would impact clinical use. Philips released software updates and has controlling mitigations on the affected software to limit the risk and exploitability of most of these vulnerabilities.
Philips has reported these potential vulnerabilities and its resolution to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.
Philips also sent a letter to all its customers, user with questions regarding their specific Vue PACS solutions are advised by Philips to contact their local Philips service support team.
ADDENDUM: In January 2022, Philips added one low-severity vulnerability report (CWE-23) to the original July 2021 Coordinated Vulnerability Disclosure posted by CISA in July 2021. This additional vulnerability did not alter the overall CvSS3 Score for the reported vulnerabilities in this product.
ADDENDUM 2: In March 2022, Philips updated the advisory to announce earlier versions than originally planned were released that remediated CWE-665 and CWE-327 for Speech. Also, 188.8.131.52 was released in Q1 of 2022 that remediates CWE-665 and CWE-710 for MyVue, CWE-79, CWE-693, CWE-665, CWE-1188, CWE-327, CWE-176, CWE-522, CWE-710, and CWE-707 for PACS. CWE-522 with a low CVSS score will be remediated in Q3 of 2023.
Cybersecurity & Infrastructure Security Agency (CISA) Advisory: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01