A security vulnerability found in more than 100 imaging systems from GE Healthcare could enable a cyberattacker to access or modify patient data, according to GE, security firm CyberMDX, and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Discovered by CyberMDX, the vulnerability -- called MDhexRay -- relates to default passwords commonly found on GE's product management software. These credentials, which can only be changed by a GE support team, could potentially be exploited by a malicious attacker to gain remote access to these systems at a level comparable to a GE service user, according to CyberMDX.
Systems affected by the vulnerability include a variety of GE's MRI, CT, ultrasound, mammography, nuclear medicine, PET/CT, echocardiography, x-ray, and interventional systems, as well as advanced visualization software.
"The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score," CyberMDX said in a post on its website. "Immediately upon discovering the flaw in May 2020, CyberMDX has contacted GE Healthcare to report the issue and both organizations are working together to resolve it."
Default credentials
Specifically, the vulnerability relates to credentials used by GE's proprietary management software to authenticate connections with GE's online maintenance servers. These credentials are left as default unless specifically requested by customers, CyberMDX said.
"Having [healthcare delivery organizations] not aware of the existence of those credentials or the nature of the maintenance mechanism, we found those modalities to lack restrictions on maintenance communication with entities other than GE servers," CyberMDX said.
In a medical advisory published on December 8, the ICS-CERT said that these vulnerabilities may allow specific credentials to be exposed during transport over the network, and they may also allow exposed/default credentials to be utilized to access or modify sensitive information. Successful exploitation of these vulnerabilities could occur if an attacker gains access to the healthcare delivery organization's network, according to the advisory.
"If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges," the ICS-CERT said. "A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI."
No reported incidents
In a post on its Product Security Portal, GE said that that the potential vulnerability is not directly accessible from outside the customer's network, "as the protection of this remote service connection runs to within the network boundary."
"However, exposure of the connection (traffic) on the customer's network to the medical device may allow for a malicious party to use the vulnerability to gain access to the device," GE said.
There have been no reported incidents of a cyberattack in a clinical use setting or any reported injuries associated with any of these vulnerabilities, GE said. The vendor said it has performed a "rigorous left-right look" throughout its product portfolio, followed by a safety risk assessment. It has concluded that there is no safety concern and that the devices may continue to be used.
Mitigations, best practices
GE has identified mitigations for specific product releases and will take proactive measures to ensure proper configuration of the product firewall as well as change default passwords on impacted devices where possible, according to the ICS-CERT. More details on these mitigations can be found on GE's Product Security Portal.
In addition, GE recommends the use of clinical network security best practices, including the following:
- Ensure proper segmentation of the local hospital/clinical network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for TELNET, FTP, REXEC, and SSH.
- Utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital/clinical network.
GE also noted that it began working with a security researcher in 2018 on public disclosure of the use of default passwords in certain GE medical devices.
"Since the initial disclosure in 2018, GE Healthcare has made numerous improvements to product design development, install and service processes to ensure improvements in password use as we mature our medical device security posture in line or ahead of industry standards," the vendor said.
