A large number of GE Healthcare medical imaging devices have a vulnerability that could put patient safety and privacy at risk.
According to an NHS Digital Cyber Alert on December 9th, two separate credential reuse vulnerabilities, which are known as MDHexRay have been detected in twenty four separate product families in GE Healthcare's imaging business. Fears are that an attacker on the same local network could exploit these vulnerabilities to obtain sensitive information, including patient data, or execute commands with full admin privileges on affected systems.
The default credentials are used to remotely administer and maintain GE Healthcare products for updates, patches, and maintenance, and were freely available through GE Healthcare's customer portal. Any user with prior access to these would be able to log in to an affected product and alter system settings or expose data in transit. The vulnerability was noticed in late May 2020 and since then numerous GE affected devices have been discovered.
MDHexRay affects more than 20 product families across GE Healthcare's advanced visualisation, CT, interventional, mammography, MRI, PET, ultrasound, and x-ray modalities. The MDHexRay vulnerability designated CVE-2020-25179, has received a severity score of 9.8/10, and has been found in more than 100 CT, X-Ray, and MRI device models, in various product lines from GE Healthcare.
GE Healthcare told BleepingComputer “We are not aware of any unauthorized access to data or an incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”
Given the large number of vulnerable devices, finding a solution to this systematic flaw is going to be difficult. It could take years for a patch to reach the entire customer base and device maintenance can be costly.
GE Healthcare has confirmed that it is contacting customers to change the default credentials. Affected organizations are encouraged to log in to their GE Healthcare Product Security Portal accounts to ensure these are changed immediately. Affected organizations are also encouraged to restrict and monitor the following ports:
FTP (port 21)
SSH (port 22)
Telnet (port 23)
REXEC (port 512)
For more details, please refer to https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01
Medical data can easily be exploited unless proper security measures are taken. Security vulnerabilities such as these are 100% preventable when HDOs and medical device vendors adopt sound password policies and utilize multi-factor authentication. Unfortunately, GE is not alone in using shared credentials for administering medical devices or for discovering critical security vulnerabilities in medical devices years after manufacture. Medical and other healthcare IoT (HIoT) devices pose some of the greatest cybersecurity and privacy risks to hospitals and other healthcare providers putting patient safety in jeopardy. Yet most hospitals have little to no idea what medical device assets connect to their networks or what risks each pose to patient safety or the confidentiality, integrity and availability of protected health data. To discover what HIoT assets connect to your healthcare network, talk to us about a no cost POC or schedule a demo of how Cylera MedCommand may be able to help you.