Skip to main content

Philips Patient Information Center iX (PIC iX) and Efficia CM Series Vulnerabilities

Three vulnerabilities in Patient Information Center iX (PIC iX) and Efficia CM Series products

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Three vulnerabilities in Patient Information Center iX (PIC iX) and Efficia CM Series products


Threat details

Introduction

Philips Healthcare has released details of three vulnerabilities in the Patient Information Center iX (PIC iX) and the Efficia CM Series. These vulnerabilities involve issues with improper input validation, use of hard-coded cryptographic key, and use of a broken or risky cryptographic algorithm. An attacker could exploit the vulnerabilities to gain unauthorised access to data (including patient data) and create a denial of service resulting in temporary interruption of viewing physiological data at the central station.


Remediation advice

Philips has confirmed that updates to all affected products will be released on the following schedule:

  • Q3 2021: Remediation for CVE-2021-43548 in PIC iX C.03.06
  • Q4 2022: Remediation for CVE-2021-43552 and CVE-2021-43550

As an interim mitigation, Philips recommends the following actions outlined in the Philips Patient Monitoring System Security for Clinical Networks guide at InCenter:

  • Philips provided hardware ships with Bitlocker Drive Encryption enabled by default to protect the data at rest stored on the system. It should not be disabled.
  • Philips recommends customers follow NIST SP 800-88 for media sanitisation prior to system disposal.
  • By default, patient information is not included in archives. When exporting archives that contain patient information, users should store information securely with strong access controls.
  • The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Affected organisations should review the Philips Patient Information Center iX (PIC iX) and Efficia CM Series (2021 November 18) security advisory and contact their relevant suppliers to apply updates as they become available.



Last edited: 23 November 2021 3:50 pm