Getty Images/iStockphoto
Flaws in GE Radiology Medical Device Authentication Pose Patient Data Risk
Discovered by CyberMDX, authentication flaws found in certain GE radiology medical devices put patient protected health data at risk of manipulation and exposure, according to CISA.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is warning all hospitals and other healthcare delivery organizations of an authentication flaw found in multiple GE Healthcare devices that poses a serious risk to protected health information.
Dozens of radiological devices are affected by the flaw, which could also enable an attacker to access or alter device data, or interrupt the availability of the vulnerable machine.
The flaw was discovered by healthcare cybersecurity vendor CyberMDX, which observed similar patterns of unsecured communications between medical devices and the servers of the corresponding vendor across several healthcare delivery organizations.
The detection of the anomalies led to the discovery of several recurring maintenance scenarios automatically initiated by GE’s server. According to researchers, the maintenance protocols rely on certain services to be available or ports to be open, as well as the use of specific, globally used credentials.
However, global credentials give hackers easy access to medical devices, allow the insertion of arbitrary code, and give access to any device data.
“If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges,” according to CISA. “A successful exploitation could expose sensitive data such as a limited set of PHI, or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”
“This potential vulnerability is not directly accessible from outside the customer’s network, since the protection of this remote service connection runs to within the network boundary,” GE officials said in a statement. “However, exposure of the connection on the customer’s network to the medical device may allow for a malicious party to use the vulnerability to gain access to the device.“
Ranked at a critical 9.8 out of 10 severity rating, the flaws affect dozens of radiological devices. According to GE, the vulnerability impacts a wide range of radiological devices, like CT Scanners, PET machines, MRIs, molecular imaging devices, mammography devices, X-Rays, and ultrasound devices.
Some GE workstations and surgical imaging devices are also affected by the flaw. The vendor provided a full list of affected devices to assist healthcare providers in identifying vulnerable devices.
“Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,” said Elad Luz, head of research at CyberMDX, in a statement.
“Protecting medical devices so that hospitals can ensure quality care is of utmost importance,” he added. “We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”
GE released recommended mitigations for some of these devices and intends to take proactive measures to ensure proper configuration of firewall protection of the device, as well as changing the default passwords on the affected devices, where possible.
Per standard vulnerability alerts, it’s recommended that entities employ best practice network security policies and procedures in the clinical environment, such as implementing proper network segmentation practices across the hospital and clinical networks.
Administrators should create explicit access rules based on the source, destination IP, and port for all connections, including those used for remote support and others employed for TELNET, FTP, REXEC, and SSH.
IPSec Virtual Private Networks (VPNs) and explicit access rules should be implemented at the internet edge, prior to forwarding incoming connections at the local level of the hospital and or clinical network.
Currently, there have been no public exploits specifically targeting these flaws.
“The combination of default passwords with a version of remote service functionality may allow for a malicious party to gain a level of access at least comparable to a GE (remote) service user,” officials said in a statement.
“GE Healthcare has performed a rigorous left-right look throughout their product portfolio, followed by safety risk assessment of all products potentially impacted to assess worst-case scenarios of access and their potential outcome,” they added. “The result of these assessments is that there is no safety concern associated, and you may continue to use the devices.”
It's the second CISA vulnerability disclosure around authentication with certain GE devices in 2020. Several flaws were reported in January, including missing authentication for a critical function of the integrated service's keyboard switching in some devices that could allow remote keyboard input access without network authentication.