Vulnerabilities Discovered in Philips IntelliBridge, Efficia and Patient Information Center Patient Monitors

Five vulnerabilities were identified that have an effect on on the following products:

the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities were found that impact C.00.04 and earlier versions of the IntelliBridge EC 40 and EC 80 Hub. An unauthorized individual could exploit the vulnerabilities with success and be able to execute software, modify system configurations, and update/see files that might consist of unidentifiable patient data.

CVE-2021-32993 – The first vulnerability is a result of the use of hard-coded credentials within the software program for its own inbound authentication, outbound communication to external components, or the encryption of internal files.

CVE-2021-33017 – The second vulnerability concerns an issue with authentication bypass. Although the regular access path of the product calls for authentication, a substitute path was determined that does not need authentication.

Both vulnerabilities were designated a CVSS v3 severity score of 8.1 out of 10.

Philips has not released a fix to address the vulnerabilities, however expects to correct the vulnerabilities before 2021 concludes. For the time being, Philips advises just using the devices within Philips authorized specs, and just utilizing Philips-authorized software program, software setting, security settings and system services. The gadgets must be physically or logically separated from the hospital system.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities were discovered to have an effect on the Philips Patient Information Center iX and Efficia CM series patient monitors. The vulnerabilities can be taken advantage of to obtain access to patient information and to execute a denial-of-service attack. Though exploitation has a low attack difficulty, the vulnerabilities may merely be exploited through an adjacent network.

The vulnerabilities have an impact on these Philips products:

  1. Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  2. Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable models of the PIC iX do not properly confirm input to ascertain if the input has the attributes to be processed securely and properly. The vulnerability is monitored as CVE-2021-43548 and has an assigned CVSS severity rating of 6.5 out of 10.

A hard-coded cryptographic key was utilized meaning encrypted data may be retrieved from vulnerable models of the PIC iX. The vulnerability is tagged as CVE-2021-43552 and was given a 6.1 CVSS score.

A broken or risky cryptographic algorithm indicates sensitive information can be compromised in communications between Efficia CM Series and PIC iX patient monitors. The vulnerability is monitored as CVE-2-21-43550 with a 5.9 CVSS score.

CVE-2021-43548 has been fixed in PIC iX C.03.06 and patches to repair the other two vulnerabilities are going to be available by the end of 2022.

To minimize the possibilities for vulnerabilities exploitation, the devices ought to only be employed according to Philips authorized specs, which consist of physically or logically separating the products from the hospital’s local area network, and making use of a firewall or router that could have access control lists limiting access in and out of the patient monitoring network for only needed ports and IP addresses.

Philips-released hardware has Bitlocker Drive Encryption activated by default and this must not be deactivated. Before disposal, NIST SP 800-88 media sanitization rules need to be implemented. Patient data is not put in archives automatically, therefore when archives are exported that consist of patient records, the data need to be saved safely with good access controls.