Monday, August 3, 2020

Philips Announces Vulnerability in DreamMapper CPAP Software


As someone who treats obstructive sleep apnea (OSA) on a regular basis, I thought I should make readers aware of this potential threat.  One of the most popular makes or CPAP machines is Philips.  The electronics giant makes all kinds of devices, and their Dream Station line of CPAP devices is one of the industry's best known.  The device contains a cellular connection that allows it to send a patient's sleep statistics out to a server where the information can be reviewed by both doctors and the patient.  While this is a great way to keep those informed who need to be informed, there is also the potential for others to access this information.  Many of you who read this blog probably either treat OSA patients or may be using a Dream Station yourself.  Read on for the details that Philips has provided about this potential vulnerability...



Publication Date: July 30, 2020

Update Date: July 30, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips DreamMapper software.

 

Philips has become aware of a potential medium-severity vulnerability regarding access to log file information associated with the Philips DreamMapper software, affecting only Versions 2.24.x and prior.

 

This potential issue requires a low skill level to exploit. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Successful exploitation may allow an unauthorized user attacker access to the log file information containing descriptive error messages. This potential vulnerability does not impact patient safety. The Philips DreamMapper software is a personalized therapy adherence tool for sleep apnea patients, and is not a clinical application – it does not directly provide therapy or diagnosis to patients.

 

Philips plans a new release for DreamMapper by June 30, 2021 that remediates the security vulnerability identified. Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips DreamMapper installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:  https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

https://us-cert.cisa.gov/ics/advisories/icsma-20-212-01    

No comments:

Post a Comment