Hard-Coded Credentials Could Lead to Patient Data
Philips plans to fix elementary but alarming vulnerabilities in a web-based application used to track patient radiation exposure.
See Also: How to Scale Your Vendor Risk Management Program
Versions of the application, called the DoseWise Portal, mistakenly shipped with errors, including hard-coded credentials for a database holding patient data and unencrypted storage of other credentials.
The vulnerabilities can be exploited remotely, according to an advisory issued Thursday by the U.S. Industrial Control Systems Cyber Emergency Response Team, or ISC-CERT, which is part of the Department of Homeland Security.
Philips says in a notice on its website that it “has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.”
ISC-CERT says, however, that “an attacker with a low skill would be able to exploit these vulnerabilities.”
Security experts have warned hackers are increasingly targeting medical data. The healthcare industry has been seen as vulnerable due to wide variations in information security practices and long refresh cycles for medical-related hardware.
The DoseWise Portal is used in the U.S., Australia, Japan and Europe to collect and analyze radiation exposure levels from X-rays and medical imaging equipment.
Philips says a customer notified it of the issues. The affected versions are 18.104.22.1683 and 22.214.171.12469. The company plans to release updates later this month.
Organizations using version 126.96.36.19968 will be upgraded to 188.8.131.5218. Philips says it will replace the authentication method and remove the hard-coded password vulnerabilities. For the other version, 184.108.40.2063, Philips says it “will reconfigure the DWP installation to change and fully encrypt all stored passwords.”
In the meantime, Philips advises that administrators block port 1433, the default port for SQL severs, unless a separate one is used.
ISC-CERT goes further in its mitigation recommendations. It advises that administrators ensure that medical devices or systems aren’t directly accessible from the internet and are behind firewalls.
ISC-CERT says that the back-end database for DWP has hard-coded credentials for a database account “with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application back-end system files that contain the hard-coded credentials.”
The vulnerable versions also “store login credentials in clear text within back-end system files.”
ICS-CERT warned of issues earlier this month in medical imaging products from Siemens (see Some Siemens Medical Imaging Devices Vulnerable to Hackers).
Siemens found four remotely exploitable vulnerabilities in imaging products running on Windows 7. The company said it did not believe the vulnerabilities necessarily posed an increased risk to patients based on how the devices are used and other controls, but some security experts portrayed the risk as high.
The concern for the healthcare industry also manifested after the WannaCry ransomware attack, which infected more than 300,000 systems in 150 countries (see WannaCry Outbreak: Microsoft Issues Emergency XP Patch).
The U.S. escaped relatively unscathed, with only about 10 organizations, including FedX, impacted. But those included two unnamed hospitals running radiology devices made by Bayer (see HHS Ramps Up Cyber Threat Information Sharing).
Bayer issued a vetted patch for the devices. WannaCry used a years-old software exploit believed to have been stolen from the National Security Agency. A group calling itself the Shadow Brokers released information about the exploit, nicknamed EternalBlue, and the associated vulnerability in April (see Eternally Blue? Scanner Finds EternalBlue Still Widespread).