CISA issues new PACs security advisory

The Homeland Security agency points to 13 vulnerabilities with the networked medical imaging and archiving systems that should be patched now. One dark web research firm says the U.S. and Brazil have the most internet-exposed PACs.
By Andrea Fox
10:50 AM

A series of remotely exploitable vulnerabilities are affecting Philips' Vue Picture Archiving and Communication Systems Versions prior to 12.2.8.410, the Cybersecurity and Infrastructure Security Agency said this past week. They could allow cybercriminals to view or modify data, gain system access, perform code execution, install unauthorized software or otherwise affect data integrity and system availability.

On Tuesday, after examining several of the disclosed vulnerabilities, security researchers from Cyble, which develops artificial-intelligence-enabled threat intelligence tools, said the U.S. and Brazil are the two countries with the most exposure.

WHY IT MATTERS

CISA said in its advisory that TAS Health, part of New Zealnd's Te Whatu Ora, and a systems administrator from the Dutch firm Verweijen ICT, a cloud services and networking service for small and medium-sized businesses, reported the vulnerabilities.

The threats facing Philips Vue PACS are: 

  • Out-of-bounds Write.
  • Deserialization of Untrusted Data.
  • Uncontrolled Resource Consumption.
  • Improper Privilege Management.
  • Use of Default Credentials.
  • Weak Password Requirements.
  • Exposure of Sensitive Information to an Unauthorized Actor.

Philips said in a statement on July 18 it had not received "any reports of patient harm, exploitation of these issues or incidents from clinical use that we have been able to associate with these issues."

Meanwhile, Cyble said in its July 23 report, now that the threat of exploitation is widely known, the healthcare sector is in more danger.

"The healthcare and public health sector is vastly dependent on [PACs] due to their nature of operations within this environment; at the same time, the operations performed via PACs become a lucrative target."

Specifically, the Philips VUE PACs vulnerabilities, combined with an individual system's internet exposure, could be quickly leveraged by threat actors for data breaches compromising patients' privacy, or undermining healthcare institutions and patient safety and care.

The company pointed to the U.S. and Brazil as having the highest number of Internet-enabled systems.

Philips recommended the following mitigations in its security advisories to customers:

For vulnerabilities CVE-2020-36518, CVE-2020-11113, CVE-2020-35728, CVE-2021-20190, CVE-2020-14061, CVE-2020-10673, CVE-2019-12814, CVE-2017-17485, CVE-2023-40223, and CVE-2023-40159, Philips recommends upgrading to the latest Vue PACS version 12.2.8.400* released in August 2023.

For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips also recommends upgrading to the Vue PACS version 12.2.8.410* released in October 2023.

For CVE-2023-40704 and CVE-2023-40539, Philips recommends configuring the Vue PACS environment per 8G7607 – Vue PACS User Guide Rev G available on Incenter.

CISA shared this information in its advisory to U.S. healthcare organizations and reminded them to perform proper impact analysis and risk assessment before "deploying defensive measures."

Philips reached out to Healthcare IT News to add that it collaborates across industries and actively encourages vulnerability discovery and disclosure.  

“The majority of these potential issues were corrected by the release of Vue PACS software version 12.2.8.400 in August 2023 and one issue was addressed by Vue PACS version 12.2.8.410 released in October. Also, Philips reported this vulnerability via our publicly accessible, voluntary  Coordinated Vulnerability Disclosure program. Philips CVD program, established in 2014, encourages vulnerability testing by security researchers and by customers, and we proactively and voluntarily share the results with CISA for an advisory posting," a Philips spokesperson said by email on Wednesday.

THE LARGER TREND

Hospitals that manage, store and transmit digital medical images and reports – X-rays, MRIs, CT scans – have been vulnerable to cyber threats before. 

Early in 2023, agencies warned U.S. healthcare organizations that Clop ransomware was targeting medical images.

Clop actors had been infecting image files, submitting them to facilities and requesting medical appointments hoping the virus-laden file would be opened, according to the Health Sector Cybersecurity Coordination Center.

ON THE RECORD

"Under specific conditions, the potential security vulnerabilities identified by Philips could impact or potentially compromise patient confidentiality, system integrity and/or system availability," Philips said in its advisory.

"Regular patching and updating of PACS are essential steps that need to be continuously taken to verify the security and integrity of healthcare operations, protect patient information and maintain the overall resilience of healthcare services," the Cyble researchers said. 

This article was updated on July 24, 2024, to include a comment from Philips.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.