HC3 TLP White Sector Alert Phillips Vue PACS Vulnerabilities July 8, 2021

Phillips Vue PACS Vulnerabilities

Executive Summary

The Philips Vue PACS (Picture Archiving and Communication System) is an image-management software platform that enables hospitals to archive, distribute, display and retrieve images and data from all hospital modalities and information systems. Vulnerabilities have been identified in Philips Vue PACS products which include 5 classified as critical that allow for a number of negative impacts including disruption, data theft and total device compromise. HC3 recommends that any healthcare organization that may operate Philips Vue PACS systems immediately confirm their inventory and review the list of recommended mitigations in this document.

Report

The Philips Vue PACS (Picture Archiving and Communication System) is an image-management software that provides scalable local and wide area PACS solutions that are widely used by hospitals, research institutions, clinics and small healthcare practices for sharing patient data and medical images. PACS technology enables hospitals to archive, distribute, display and retrieve images and data from all hospital modalities and information systems.
Vulnerabilities have been identified in Philips Vue PACS products which including 5 classified as critical with a 9.8 severity rating and 4 classified high severity. Several of these vulnerabilities can be exploited remotely and are trivial to attack. Successful exploitation allows for unauthorized access, unauthorized modification of data, execution arbitrary code, eavesdropping, the installation of unauthorized software, or compromise system integrity and access to sensitive data or negatively affect the availability of the system. The vulnerabilities were recently reported by Phillips to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency who then released an alert on them. They affect the following Philips Vue PACS products:

  • Vue PACS: Versions 12.2.x.x and prior
  •  Vue MyVue: Versions 12.2.x.x and prior
  • Vue Speech: Versions 12.2.x.x and prior
  • Vue Motion: Versions 12.2.1.5 and prior

View the entire Sector Alert below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Advisory
Agencies Issue Advisory as Ransomware Group Accelerates Attacks on Health Care Sector
Public
Letter/Comment
AHA, Others Urge UnitedHealth Group to Provide Breach Notifications on Behalf of the Field
Public
Letter/Comment
AHA Letter to Senate Finance Committee for May 1 Hearing on Change Healthcare Cyberattack
Letter/Comment
AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
Advisory
Homeland Security Proposes New Cyber Incident Reporting Requirements
Member
Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member