A new cybersecurity flaw in GE imaging and ultrasound devices was discovered by CyberMDX. The flaw potentially allows unauthorized individuals remote access to the devices. More details on the medical device cybersecurity issues are discussed.
GE Medical Device Cybersecurity
The GE medical device cybersecurity vulnerability, deemed “MDhex-Ray,” was announced by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) early this month. MDhex-Ray potentially affects several types of GE radiology devices including CT and PET scanners, mammography devices, MRI machines, ultrasounds, X-rays and molecular imaging devices.
In response to the announcement, GE Healthcare stated, “We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”
This cybersecurity flaw, which allows remote access to the medical devices, seems to exist in the hard-coded default passwords of these devices. The reason the GE medical device cybersecurity Issues should be of such concern to healthcare organizations, and their patients, is because once an unauthorized individual gains access to the vulnerable devices, they can corrupt the data. A threat actor could exploit the remote access vulnerability and make changes to patient protected health information (PHI), or even take the machines offline rendering them unusable.
The situation is so dire that CISA has classified the threat as “critical”, scoring it a 9.8 (out of 10.0) on the Common Vulnerability Scoring System.
CyberMDX researchers explained, “After detecting the anomalies, the research further investigated discovering multiple recurring maintenance scenarios instigated automatically by GE’s server. The maintenance protocols rely on the machine having certain services available/ports open and using specific globally-used credentials. These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine.”
For more information on the GE medical device cybersecurity, please click here.
Why is Medical Device Cybersecurity Important?
Many organizations don’t realize that they should be concerned about medical device cybersecurity, as they don’t think of them as being connected to the internet. However, many medical devices rely on an internet connection to function properly. Additionally, once a threat actor has access to an organization’s network, through medical device cybersecurity flaws, the unauthorized party has the potential to access any device connected to that network. In essence, the threat actor could easily access all of your sensitive data contained on any number of devices including computer systems, mobile devices and tablets, and other devices that connect to the organization’s network.
Elad Luz, head of research at CyberMDX, stated, “Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights. Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”
