On August 14th, The US Department of Homeland Security’s Industrial Control Systems Emergency Response Team (ICS-CERT) issues two alerts for Philips medical devices: PageWriter and IntelliSpace.
Philips announced plans to patch IntelliSpace by October, roughly 45 days from the DHS announcement.
PageWriter will not be patched until “mid-2019” despite the easier, “low level” threat.
A ten month delay provides more ammunition to cyber criminals to aggressively attack healthcare. Announcing an eight to ten month delay in patching adds confusion into the medical device marketplace. The cybersecurity community expresses the need for clinics, hospitals and health systems that monthly patching is the best way to protect assets from cyber attack. Many medical devices in production at the bedside today remain connected to Windows XP PCs.
Philips sends the wrong signal to healthcare customers:
Homeland Security’s stated risk evaluation for PageWriter: Successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the ISCV/Xcelera server and execute arbitrary code.
Medical device vendors must look deeper into their long standing business model that has failed to keep up with cybercriminal and nation state attacks. Many cybersecurity blogs fault hospitals for delaying patches. Healthcare facilities often delay Microsoft’s Patch Tuesday for 45 to 60 days giving their IT application analysts time to test their deployed environments.
Devices most often cited with cyber flaws are Infusion pumps and x-ray machines. Bloggers must understand deployed devices remain at the bedside and are patient impacting. It should not come as a surprise that hospitals may not patch windows devices for over a full calendar year. Yet 2018 proved their point. Microsoft issued multiple patches within 60 days to address Windows patching errors. A patch error may cause any medical device to fail, alter dosage levels or expose PHI data. Even respected IT advisors recommend against patching.
Hospitals now run in a post WannaCry world. The 2017 ransomware attacks impacted medical devices in clinics, hospitals and health systems across the globe. WannaCry, NotPetya and related botnet attacks, hospital clinical engineering and laboratory teams are more aware of their cyber risk.
Last April, Symantec revealed the Orangeworm, a cyber-attack group targeted medical device supply chains dating back to 2015. X-Ray and MRI machine supply chains are the first targets. I applaud Philips for being one of the first medical device vendors to acknowledge Orangeworm. This attack is only the first against healthcare supply chains. Other attack groups and nation states will follow.
Philips must increase their cybersecurity efforts to mitigate existing gaps.