ICS-CERT Advisory on New Vulnerability in Philips iSite and IntelliSpace PACS

ICS-CERT released a bulletin concerning a medium severity vulnerability found in Philips iSite and IntelliSpace PACS. All versions of iSite PACS and IntelliSpace PACS are affected by the weak password vulnerability. If the vulnerability is exploited by hackers, the integrity, confidentiality and availability of a system component could be affected.

The vulnerability – CVE-2018-17906 (CWE-521) – involves the use of default credentials and insufficient authentication in a third-party software program. Even a hacker with a low level of skill could exploit the vulnerability. However, the possibility of exploitation is restricted because the attacker would first need to gain access to the local network.

The vulnerability was reported to Philips by a user, and Philips notified NCCIC. A CVSS v3 base rating of 6.3 has been assigned to the vulnerability. To prevent hackers from exploiting the vulnerability, healthcare organizations should only allow authorized personnel to access the vulnerable iSite and IntelliSpace PACS systems and standard security best practices should be followed.

Philips’ advice is to run IntelliSpace PACS installations only in managed service environments that adhere to NCCIC instructions. To minimize the possibility of hackers exploiting the vulnerability the following actions should be taken:

  • Make sure the Philips iSite and IntelliSpace PACS are not accessible over the Internet
  • Separate iSite and IntelliSpace PACS from the other networks
  • Position iSite and IntelliSpace PACS behind a firewall

Through the managed service environment, automated anti-virus protection is provided by Philips and networks are scanned and threats are automatically mitigated. Phillips additionally has a monthly patch program to fix identified vulnerabilities promptly. Philips has also taken the opportunity to remind users that the iSite 3.6 platform has reached end of its life and end of service.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/