← Back to home
ICSMA-21-322-02  ·  Published 2021-11-18  ·  View on CISA ICS-CERT ↗

Philips Patient Information Center iX (PIC iX) and Efficia CM Series

CVSS 6.5 MEDIUM

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and create a denial of service resulting in temporary interruption of viewing physiological data at the central station. Exploitation does not enable modification or change to point-of-care devices.

CVEs (3)

Remediations

  • Philips released a remediation for CVE-2021-43548 in Q3 2021 in PIC iX C.03.06. Philips plans to remediate CVE-2021-43552 and CVE-2021-43550 by end of Q2 of 2023. Users should operate all Philips deployed and supported products within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.
  • As an interim mitigation, Philips recommends the following actions outlined in the Philips Patient Monitoring System Security for Clinical Networks guide at InCenter.
  • Philips provided hardware ships with Bitlocker Drive Encryption enabled by default to protect the data at rest stored on the system. It should not be disabled.
  • Philips recommends customers follow NIST SP 800-88 for media sanitization prior to system disposal.
  • By default, patient information is not included in archives. When exporting archives that contain patient information, users should store information securely with strong access controls.
  • The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.
  • Users with questions regarding their specific Philips Patient Information Center (PIC iX) and Efficia CM Series new release eligibility should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service website, or by calling 1-800-722-9377.
  • Please see the Philips product security website for the latest security information for Philips products.

Affected Vendors

Philips

Affected Products (2)

Philips · Efficia CM Series A.01 <= C.0x | 4.0
Philips · Patient Information Center iX (PIC iX) B.02 | C.02 | C.03

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more