CISA says security vulnerability found in GE imaging and ultrasound devices
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency announced this week that new vulnerabilities have been detected in an array of radiology tools – CT and PET scanners, mammography devices, MRI machines, ultrasounds, X-rays and molecular imaging devices – from GE.
WHY IT MATTERS
The weak spots, first found by healthcare IoT and cybersecurity company CyberMDX, could enable cyber attacker to gain remote access to protected health and imaging information, alter data and even take the machines offline by running arbitrary code.
CISA has assigned the flaw – which appears to stem from some hard-coded default passwords used by GE – a score of 9.8 on the Common Vulnerability Scoring System – a severity that's considered critical.
Researchers "discovered this vulnerability after noticing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers across several different HDOs," according to CyberMDX.
"After detecting the anomalies, the research further investigated discovering multiple recurring maintenance scenarios instigated automatically by GE's server," researchers explained. "The maintenance protocols rely on the machine having certain services available/ports open and using specific globally-used credentials. These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine."
The vulnerability, known as MDhex-Ray – it's been confirmed by GE, which is working with CISA to fix it – could impact a long list of many of the radiological machines mentioned above, according to CyberMDX, and could also affect certain workstations and surgical imaging tools.
"We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation," said a GE Healthcare spokesperson in a statement sent to Healthcare IT News. "We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority."
THE LARGER TREND
"GE has identified mitigations for specific products and releases and will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible," said CISA officials the agency's alert.
"GE recommends users refer to the GE Healthcare Product Security Portal for more details on mitigations and how proactive actions may apply to affected devices," officials said.
Additionally, CISA and GE pointed to basic clinical and security best practices, such as ensuring proper segmentation of the local hospital or clinical network and creating "explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for TELNET, FTP, REXEC, and SSH."
Healthcare organizations should also "utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital/clinical network," according to the CISA alert.
ON THE RECORD
"Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights," said Elad Luz, head of research at CyberMDX, in a statement. "Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities."