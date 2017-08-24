Privacy & Security

DHS: Philips DoseWise Portals shipped with 2 major flaws

Hackers can easily access passwords to gain access to patient data, but the company is providing an upgrade to eliminate the vulnerability.
By Jessica Davis
August 24, 2017
01:39 PM
Share
Philips DoseWise Portals shipped with 2 major flaws

The U.S. Department of Homeland Security’s ICS-CERT is warning healthcare providers that Phillips’ web-based radiation monitoring app -- DoseWise Portal (DWP) Version 1.1.7.333 -- has been shipped with two major vulnerabilities that hackers can easily exploit to gain access to patients’ health data.

One of the vulnerabilities involves hard-coded credentials for a database account in the backend of the DWP app, with privileges that can impact the confidentiality, integrity and access to the database, according to the report.

If a hacker gains elevated privileges, they can access these backend files. This database is where protected health information is stored.

[Register Now: Upcoming HIMSS Healthcare Security Forum]

The second flaw with DWP stores login credentials in clear text in the backend system files. So a hacker merely needs to leverage this vulnerability to access the necessary credentials for exploiting the database.

Further, the flaws can be exploited remotely, and “an attacker with a low skill would be able to exploit these vulnerabilities.”

Phillips plans to release a new product version and support documentation this month. For those current users of the product, the company has released an update for the DWP installation that will replace the authentication method and remove password vulnerabilities from the system.

The company will support all version 1.1.7.333 users to reconfigure the DWP install.

Phillips has notified users and will work with them to schedule the necessary updates.

In the meantime, users should make sure they have security measures in place to mitigate the risk. Port 1433 can be blocked, except where a separate SQL server is used. Network exposure on these devices should be minimized and should not be accessible through the internet until the updates have been installed.

The devices should also be isolated from the rest of the organization’s network until upgraded. ICS-CERT is also recommending that when remote access is necessary, a secure method like VPN should be used. But it’s important to note VPNs are only as secure as the connected device.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Privacy & Security
Share
View all comments 0

Top Story

EHR Association weighs in on MACRA, 21st Century Cures, asks for fewer delays

CMS Administrator Seema Verma and National Coordinator for Health IT Donald Rucker, MD, both received letters from groups expressing concerns about delays that will slow progress in health IT progress.

Most Read

Nuance knocked offline by ransomware attacking Europe
Nuance still down after Petya cyberattack, offers customers alternative tools
WSU hard drive theft potentially impacts 1 million people
How does blockchain actually work for healthcare?
Blockchain's potential use cases for healthcare: hype or reality?
8 common questions about HL7

Research

White Papers

More Whitepapers

Cloud Computing
Privacy & Security
Network Infrastructure

Webinars

More Webinars

Privacy & Security
Privacy & Security
Financial/Revenue Cycle Management

Video

Women in Health IT: Influential perspectives
HIMSS17 Session Recording
Shattering the Glass Ceiling: Lessons Learned for Aspiring Female Executives
Eric Dishman NIH
NIH precision medicine program wants a million-strong cohort, from all walks of life
Karen DeSalvo and Suzi Grizancic
HIMSS Radio: Karen DeSalvo and Suzi Grizancic on gender equality in HIT

More Stories

health records breached

St. Mark's Surgery Center in Fort Meyers, Florida. Photo via Google Maps

Surgery center says 34,000 patient records potentially...
Rush UMC sues Draeger

Rush University Medical Center

Rush UMC sues Draeger for $18 million over patient...
Philips DoseWise Portals shipped with 2 major flaws
DHS: Philips DoseWise Portals shipped with 2 major flaws
Fujifilm wins contract with DoD

The Synapse 3D system in a screenshot from FujiFilm.

Fujifilm wins $768 million imaging contract with DoD
intermountain EHR to help reduce opioid prescriptions
Intermountain tweaks Cerner EHR in bid to reduce opioid...
Health IT solving problems
Here's how 6 healthcare orgs faced a crisis and...
healthcare cybersecurity strategy

Health systems need to establish cybersecurity as a strategic objective that is defined and managed by the C-suite and has board of directors involvement..

Essential elements for a hacker-proof healthcare...
#HITSECURITY Twitter chat
TODAY: #HITSECURITY Twitter chat to zero-in on state of...