The U.S. Cyber Security & Infrastructure Security Agency (CISA) today issued a notice regarding the e-Alert system from Royal Philips (NYSE:PHG).
CISA called attention to the e-Alert MRI system monitoring platform (version 2.7 and prior) and a potential vulnerability related to “missing authentication for critical function.”
According to the CISA notice, successful exploitation of the vulnerability — in which the software does not perform any authentication for critical system functionality — could allow an unauthorized actor to remotely shut down the system if on the healthcare facility’s network.
Philips plans a new release to remediate the vulnerability before July 2022. For interim mitigation to the vulnerability, Philips recommends that users operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls, with only authorized personnel permitted to access the network and devices connected to it.
CISA recommends that users minimize network exposure for all control system devices and/or systems, ensuring that they are not accessible from the internet. Users should also locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, CISA said to use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as its connected devices, CISA noted.