Thanks to a cybersecurity researcher, GE Healthcare has been alerted about a critical vulnerability that puts more than 100 radiological systems at risk of being hacked. CyberMDX determined that the flow involved default passwords found on GE’s product management software and affected CT Scan Machine, PET/CT, Molecular Imaging Devices, Mammography solutions, MR Systems, X-Ray Machines and Ultra Sound Systems. Fortunately, GE has reported that no incidents or injuries associated with the vulnerability have been reported in a clinical use setting.
“Upon discovery of the vulnerability, CyberMDX brought the issues we discovered to GE's attention, along with different scenarios we have seen in the field of GE performing automated maintenance in insecure ways. We later had several calls together talking about the issues and suggesting different mitigation techniques that GE could use, working with GE throughout the process,” Elad Luz, head of research at CyberMDX, told HCB News.
The specific modalities affected can be found on the CyberMDX website at https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01. The severity of the vulnerability has earned the threat a CVSS score of 9.8 in the ICS-CERT Advisory, which is considered critical.
The vulnerability affected the imaging machines as well a certain workstations and imaging devices used in surgery.
The issue was identified by CyberMDX after observing medical devices and the corresponding vendor’s servers communicating with one another in unsecured ways across multiple HDOs. Multiple recurring maintenance scenarios instigated by GE’s servers appear to be the cause of the issue. The machines are required to have certain services available and ports open during maintenance protocols, in addition to the use of specific globally-used credentials. These global credentials created easy access to the devices.
Luz said that the best solution is to introduce security requirements at the design phase of the device and to utilize standard authentication techniques and standard security protocols.
At the beginning of the year CyberMDX also discovered a group of vulnerabilities specifically within hard-coded credentials for patient monitoring devices. Now known as the MDhex-Ray discovery, it follows a group of six vulnerabilities disclosed since then, along with others found in infusion-pumps and anesthesia machines.
Talk To An Expert
Do you have questions about your medical imaging equipment and potential vulnerabilities? Are you looking for medical imaging equipment for your hospital, urgent care facility, veterinary clinic or healthcare practice? Atlantis Worldwide has been providing affordable solutions for more than 27 years. Contact one of our experts today.
Some blogs you may have missed:
- 5 Service Agreements for Your Used Medical Imaging Equipment
- CT & AI Making An Impact
- Radiologists, Healthcare and Social Media
- Free CT Scanner Resources
- Is Your CT Tube About To Fail?
Meet the author: Vikki Harmonay