Data Loss Prevention (DLP) , Governance

Philips to Fix Vulnerabilities in Web-Based Health App

Hard-Coded Credentials Could Lead to Patient Data
Philips to Fix Vulnerabilities in Web-Based Health App
View of the Philips DoseWise portal.

Philips plans to fix elementary but alarming vulnerabilities in a web-based application used to track patient radiation exposure.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

Versions of the application, called the DoseWise Portal, mistakenly shipped with errors, including hard-coded credentials for a database holding patient data and unencrypted storage of other credentials.

The vulnerabilities can be exploited remotely, according to an advisory issued Thursday by the U.S. Industrial Control Systems Cyber Emergency Response Team, or ISC-CERT, which is part of the Department of Homeland Security.

Philips says in a notice on its website that it "has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem."

ISC-CERT says, however, that "an attacker with a low skill would be able to exploit these vulnerabilities."

Security experts have warned hackers are increasingly targeting medical data. The healthcare industry has been seen as vulnerable due to wide variations in information security practices and long refresh cycles for medical-related hardware.

The DoseWise Portal is used in the U.S., Australia, Japan and Europe to collect and analyze radiation exposure levels from X-rays and medical imaging equipment.

Vulnerable Versions

Philips says a customer notified it of the issues. The affected versions are 1.1.7.333 and 2.1.1.3069. The company plans to release updates later this month.

Organizations using version 2.1.1.3068 will be upgraded to 2.1.2.3118. Philips says it will replace the authentication method and remove the hard-coded password vulnerabilities. For the other version, 1.1.7.333, Philips says it "will reconfigure the DWP installation to change and fully encrypt all stored passwords."

In the meantime, Philips advises that administrators block port 1433, the default port for SQL severs, unless a separate one is used.

ISC-CERT goes further in its mitigation recommendations. It advises that administrators ensure that medical devices or systems aren't directly accessible from the internet and are behind firewalls.

ISC-CERT says that the back-end database for DWP has hard-coded credentials for a database account "with privileges that can affect confidentiality, integrity and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application back-end system files that contain the hard-coded credentials."

The vulnerable versions also "store login credentials in clear text within back-end system files."

Issues at Siemens

ICS-CERT warned of issues earlier this month in medical imaging products from Siemens (see Some Siemens Medical Imaging Devices Vulnerable to Hackers).

Siemens found four remotely exploitable vulnerabilities in imaging products running on Windows 7. The company said it did not believe the vulnerabilities necessarily posed an increased risk to patients based on how the devices are used and other controls, but some security experts portrayed the risk as high.

The concern for the healthcare industry also manifested after the WannaCry ransomware attack, which infected more than 300,000 systems in 150 countries (see WannaCry Outbreak: Microsoft Issues Emergency XP Patch).

The U.S. escaped relatively unscathed, with only about 10 organizations, including FedX, impacted. But those included two unnamed hospitals running radiology devices made by Bayer (see HHS Ramps Up Cyber Threat Information Sharing).

Bayer issued a vetted patch for the devices. WannaCry used a years-old software exploit believed to have been stolen from the National Security Agency. A group calling itself the Shadow Brokers released information about the exploit, nicknamed EternalBlue, and the associated vulnerability in April (see Eternally Blue? Scanner Finds EternalBlue Still Widespread).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.