Philips Patient Monitoring Devices (Update C)

MonitorCVSS 6.8ICS-CERT ICSMA-20-254-01Sep 10, 2020

PhilipsHealthcare

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Philips patient monitoring devices contain vulnerabilities in certificate validation, authentication, and input handling (CWE-287, CWE-299, CWE-20, CWE-79, CWE-130, CWE-1236, CWE-1286, CWE-668). These affect Patient Information Center iX (PICiX) versions B.02, C.02, C.03; PerformanceBridge Focal Point A.01; and IntelliVue monitors (MX100, MX400-MX850, MP2-MP90, X2, X3). Successful exploitation requires either physical access to monitors and surveillance stations or access to the medical device network, and could result in unauthorized access, interrupted monitoring, and unauthorized collection of patient data.

What this means

What could happen

An attacker with network or physical access could bypass authentication, disrupt patient monitoring, or steal sensitive patient data from surveillance stations and bedside monitors. This could delay clinical decision-making and expose protected health information.

Who's at risk

Healthcare facilities operating Philips IntelliVue patient monitors (MX100, MX400-MX850, MP2-MP90, X2, X3) and Patient Information Center iX (PICiX) surveillance stations. Clinical engineering and IT staff responsible for medical device networks, ICU/cardiac monitoring units, and patient data security should prioritize network isolation and access controls.

How it could be exploited

An attacker on the medical device network (or with physical access to a monitor/surveillance station) could exploit weak certificate validation, lack of authentication enforcement, or configuration weaknesses to gain unauthorized access to the monitoring system. From there, they could alter readings, interrupt monitoring feeds, or extract patient information.

Prerequisites

Access to the medical device network OR physical access to IntelliVue patient monitors and PIC iX surveillance stations
No valid credentials required for some attack vectors
SCEP service running (if exploiting certificate enrollment)

No authentication required for some attack vectorsLow complexity exploitationAccess to sensitive patient data (PII/PHI)Affects patient safety monitoring systemsMultiple Philips products affectedSome products have no patches available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

5 with fix4 pending

ProductAffected VersionsFix Status

Patient Information Center iX (PICiX): B.02B.02No fix yet

Patient Information Center iX (PICiX): C.02C.02No fix yet

Patient Information Center iX (PICiX): C.03C.03No fix yet

PerformanceBridge Focal Point: A.01A.01No fix yet

IntelliVue patient monitor MX100: <=N≤ NN.00 and N.01

IntelliVue patient monitor MX400-MX850: <=N.0≤ NN.00 and N.01

IntelliVue X2: <=N≤ NN.00 and N.01

IntelliVue X3: <=N≤ NN.00 and N.01

Remediation & Mitigation

0/7

Do now

0/5

HARDENINGPhysically or logically isolate the patient monitoring network from the hospital LAN using firewalls or routers with access control lists

WORKAROUNDDisable the SCEP service unless actively enrolling new devices

HARDENINGWhen using SCEP for device enrollment, require unique 8-12 character randomized challenge passwords

HARDENINGImplement physical security controls (locked data centers, controlled access at nurses' stations) to prevent unauthorized access to servers and monitors

HARDENINGRestrict remote access to PIC iX servers to only essential personnel and use role-based least-privilege login policies

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Patient Information Center iX to Version C.03 or later

HOTFIXUpgrade IntelliVue Patient Monitors to Version N.00 or N.01 (or contact Philips support for Version M.04 upgrade path)

CVEs (8)

CVE-2020-16214 CVE-2020-16218 CVE-2020-16222 CVE-2020-16228 CVE-2020-16224 CVE-2020-16220 CVE-2020-16216 CVE-2020-16212

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/07e2dbed-d277-451d-8fc9-f771cc11a76c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.