The U.S. Department of Homeland Security’s ICS-CERT is warning healthcare providers that Philips’ web-based radiation monitoring app -- DoseWise Portal (DWP) Version 1.1.7.333 -- has been shipped with two major vulnerabilities that hackers can easily exploit to gain access to patients’ health data.
One of the vulnerabilities involves hard-coded credentials for a database account in the backend of the DWP app, with privileges that can impact the confidentiality, integrity and access to the database, according to the report.
If a hacker gains elevated privileges, they can access these backend files. This database is where protected health information is stored.
[Register Now: Upcoming HIMSS Healthcare Security Forum]
The second flaw with DWP stores login credentials in clear text in the backend system files. So a hacker merely needs to leverage this vulnerability to access the necessary credentials for exploiting the database.
Further, the flaws can be exploited remotely, and “an attacker with a low skill would be able to exploit these vulnerabilities.”
Philips plans to release a new product version and support documentation this month. For those current users of the product, the company has released an update for the DWP installation that will replace the authentication method and remove password vulnerabilities from the system.
The company will support all version 1.1.7.333 users to reconfigure the DWP install.
Philips has notified users and will work with them to schedule the necessary updates.
In the meantime, users should make sure they have security measures in place to mitigate the risk. Port 1433 can be blocked, except where a separate SQL server is used. Network exposure on these devices should be minimized and should not be accessible through the internet until the updates have been installed.
The devices should also be isolated from the rest of the organization’s network until upgraded. ICS-CERT is also recommending that when remote access is necessary, a secure method like VPN should be used. But it’s important to note VPNs are only as secure as the connected device.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com
