2 min read

GE Healthcare’s Internet-Connected Radiology Gear Vulnerable to Remote Exploitation, Researchers Find

Filip TRUȚĂ

December 09, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial
GE Healthcare’s Internet-Connected Radiology Gear Vulnerable to Remote Exploitation, Researchers Find

Researchers have discovered a critical vulnerability in radiology equipment supplied by GE Healthcare that may allow the devices to connect to malicious servers.

Devices widely used for CT scans, MRIs, mammograms, X-Rays, ultrasounds and positron emission tomography supplied by the vendor have been found vulnerable to potential remote access, according to CyberMDX researchers.

The reason is that GE supplies these radiology gizmos with default passwords and several open ports for remote access by its technicians. However, as reported by Dan Goodin for Ars Technica:

“The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers.”

Healthcare institutions can’t change the passwords themselves – they must summon a GE Healthcare technician to do it. Now that the cat’s out of the bag, customers who don’t address the issue remain vulnerable to attack.

The discovery, which occurred in May, prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an urgent notice to affected healthcare providers, advising them to take mitigation steps sooner rather than later.

GE recommends users refer to the GE Healthcare Product Security Portal for details on mitigations and how proactive actions may apply to affected devices, and recommends employing “clinical network security best practices,” according to the advisory.

Those steps include:

  • Ensure proper segmentation of the local hospital/clinical network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for TELNET, FTP, REXEC and SSH
  • Utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital/clinical network

“We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation,” a GE spokesperson told Ars and CSO. “We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”

The GE representative assured the news outlets that the company is providing “on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall.”

The spokesperson doesn’t say whether this assistance must be requested or is pro-actively offered to affected healthcare units.

The CISA advisory includes the full list of affected products and a risk evaluation, with the vulnerability assigned a critical score of 9.8 on the CVSS benchmark.

tags


Author


Filip TRUȚĂ

Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

You might also like

Bookmarks


loader