This updated advisory is a follow-up to the original advisory titled ICSMA-21-322-02 Philips Patient Information Center iX (PIC iX) and Efficia CM Series that was published November 18, 2021, to the ICS webpage on www.cisa.gov/ics. 

CISA Number: ICSMA-21-322-02

CVE Number: Multiple CVE’s. Refer to CISA page for details.

Vendor Website:

Additional Information:

Vendor information:

Publication Date: 2021 November 18

Update Date: 2023 June 9

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding a potential issue related to certain versions of Philips Patient Information Center iX (PIC iX) and Efficia CM Series software.

Philips has identified vulnerabilities in the affected software including:

• Improper input validation (CWE-20), affecting Patient Information Center iX (PIC iX) versions C.02, C.03
• Use of a hard-coded cryptographic key (CWE-321), affecting Patient Information Center iX (PIC iX) versions B.02, C.02, C.03
• Insecure cryptographic algorithm (CWE-327), affecting Patient Information Center iX (PICiX) version C.0x and Effica CM Series revisions A.01 to C.0x.

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with these issues. At this time there are no known public exploits that specifically target these vulnerabilities.

Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and denial of service resulting in temporary interruption of viewing of physiological data at the central station. Exploitation does not enable modification or change to point of care devices.

Philips released a remediation for CWE-20 in Q3 2021 in PIC iX C.03.06. Philips released a remediation for CWE-321 & CWE-327 in Q2 of 2023 in PIC iX 4.1. Users should operate all Philips deployed and supported products within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.

As an interim mitigation, Philips recommends the following which are outlined in the Philips Patient Monitoring System Security for Clinical Networks guide for additional information on InCenter:

• Philips-provided hardware ships with Bitlocker Drive Encryption enabled by default to protect the data at rest stored on the system.  It should not be disabled.
• Philips recommends that customers follow NIST SP 800-88 for media sanitization prior to system disposal.
• By default, patient information is not included in archives.  When exporting archives that contain patient information, customers should store securely with strong access controls.
• The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses. 

Philips has reported the potential vulnerabilities and their mitigations to the public and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific the Philips Patient Information Center iX (PIC iX) and Efficia CM Series solutions are advised by Philips to contact their local Philips service support team.