The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory over a security vulnerability identified on Philips Healthcare's e-Alert MRI system monitoring software.
Versions 2.7 and prior releases of e-Alert do not perform any authentication for critical system functionality, according to the CISA advisory.
"Successful exploitation of this vulnerability may allow an unauthorized actor to remotely shut down the system, if on the healthcare facilities network," the CISA said.
The CISA said that Philips is planning a new software release before July 2022 to remediate this vulnerability. In the meantime, the vendor recommends that users operate all software within its authorized specifications, including physical and logical controls. Furthermore, Philips recommends that only authorized users be permitted to access the network and the devices connected to it, according to the CISA.
To minimize the risk that this vulnerability could be exploited, the CISA also recommends that users take defensive measures, including the following:
- Minimizing network exposure for all control system devices and/or systems, and ensuring they are not accessible from the internet.
- Locating control system networks and remote devices behind firewalls and isolating them from the business network.
- When remote access is required, using secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognizing that a VPN is only as secure as its connected devices.