Philips e-Alert MRI Monitoring System Vulnerable to Cyberattacks: Warning

A hack of the e-Alert MRI monitoring system could silence crucial alarms, putting patients at risk of serious injury or death, the CISA warns.

As Philips continues to face a growing number of CPAP recall lawsuits being pursued by users who developed cancer and respiratory injuries from a defective sound abatement foam inside the sleep apnea machines, the beleaguered manufacturer has now acknowledged a serious cybersecurity vulnerability found in its e-Alert systems, which are used to monitor medical imagining devices.

A Philips e-Alert cybersecurity warning was released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 29, indicating certain versions of the device software contain vulnerabilities that could be exploited by hackers to silence critical alarms and expose users to life-threatening risks.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. DHS has warned that if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients at risk in a cyberattack.

The Department of Homeland Security’s CISA issued the Medical Advisory warning for the Philips e-Alert devices, which are intelligent hardware and software-based tools that closely monitor healthcare facilities MRI system performances. The e-Alert systems use sensor technology to warn healthcare professionals and automatically shut down the systems when it identifies issues related to room temperature, helium levels, cyro compressor errors, magnet disruptions and other problems.

CISA warns the cybersecurity vulnerability impacts versions 2.7 and earlier of Philips e-Alert, which the agency indicates lacks the requirement for authentication for accessing critical system functionality.

If a hacker were to gain access to a healthcare facility’s network, the agency warns that it could allow a “low-skilled” unauthorized actor to remotely shutdown the system and prohibit critical preset alerts. CISA’s risk calculation gave the vulnerability a base score of 6.5 out of 10, which places the risk on the higher end of the medium-severity range.

The advisory recommends healthcare facilities using the Philips e-Alert with versions 2.7 and earlier of the software minimize network exposure for all control systems, to ensure they are not accessible from the internet and to only allow authorized and trusted users remote access to the network using secure methods, such as VPNs.

In conjunction with the CISA advisory, Philips released a Security Advisory on its webpage acknowledging the e-Alert vulnerability. Philips states that while the e-Alert systems are not a medical device, and do not pose a direct threat to patients, the company plans to release an update that will mitigate the vulnerability by the second quarter of 2022.

Users with questions regarding the Philips e-Alert hardware solutions are being advised to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support.

Medical Device Cybersecurity Risks

Cybersecurity threats in the medical field have been a growing concern over the last decade, as an increasing number of medical devices have been found to contain major vulnerabilities or run on unsupported operating systems, which could expose patients to serious risks.

In 2019, the FDA issued a safety communication about vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

Later the same year in November, Medtronic issued a Medtronic MiniMed insulin pump recall after the manufacturer identified someone other than the patient or healthcare provider could remotely change insulin delivery settings and alter glucose level data, potentially leading to life threatening conditions such as the development of severe hypoglycemia or high blood sugar and diabetic ketoacidosis.

Late last month, the multinational cybersecurity company, Palo Alto Networks, released the findings of their medical device cybersecurity report, warning that the majority of infusion pumps currently in use at healthcare facilities across the U.S. have security gaps that put them at increased risk of being hacked.

The report revealed 75% of approximately 200,000 infusion pumps in-use contained major vulnerabilities to at least one of the 110 identified and known security threats which could allow hackers to compromise the infusion pump’s functionality.