Skip to main content
close search
site logo
Dive Brief

GE Healthcare warns of cybersecurity risks in ultrasound devices, software

Cybersecurity group Nozomi Networks Labs identified 11 vulnerabilities across several systems and software in an investigation of imaging machines.

Published May 15, 2024
By
Contributor
A person stands in front of the screen of a machine on wheels, near a sign that says "GE HealthCare"
GE HealthCare's medical equipment is displayed during the 2023 World Health Expo at the Wuhan International Expo Center on April 7, 2023. Stringer via Getty Images

Dive Brief:

  • GE Healthcare said Tuesday some of its ultrasound devices have vulnerabilities that malicious actors with physical access to the products could exploit.
  • Nozomi Networks Labs, a cybersecurity group that discovered the vulnerabilities, said the flaws could allow someone to put ransomware on an ultrasound machine or manipulate patient data.
  • GE Healthcare said in cybersecurity notices that existing mitigations and controls “reduce the risk as far as possible” and it would be “immediately obvious” if a malicious actor rendered an ultrasound device unusable.

Dive Insight:

GE Healthcare disclosed the vulnerabilities on its product security portal. The company outlined the vulnerabilities, the risks and recommendations for users of the products in two new posts and an update to an entry from 2020. The notices cover products including the Vivid line of ultrasound devices.

Nozomi provided more information in a blog post, which was also posted on Tuesday. The cybersecurity group described 11 vulnerabilities that affect several GE Healthcare systems and software programs. Researchers found the flaws as part of an investigation into ultrasound devices used in cardiovascular care.

The Vivid T9 ultrasound device analyzed by Nozomi features a desktop PC that runs a customized version of Microsoft Windows 10. The interface largely restricts users from accessing the operating system. Vivid T9 comes with an accessory management web application and a clinical software package. Nozomi found vulnerabilities in the system that could be exploited to gain administrative privileges. 

After obtaining full privileges, the cybersecurity researchers were able to make the device’s screen show an image requesting a ransom.

Nozomi also found nothing can stop an attacker with full privileges from “accessing and even manipulating all patient data” stored on the device. The researchers outlined what could happen if a primary healthcare facility in a major city was the victim of an attack via Vivid T9. 

“The inability to access or use the devices due to ransomware could delay critical medical procedures, hinder accurate diagnoses and impede timely treatment,” Nozomi said. “Patient confidentiality, a cornerstone of healthcare ethics, could be compromised, leading to potential breaches of privacy and legal implications for the hospital.”

Nozomi wrote that GE Healthcare confirmed its “trained medical staff has executed medical safety risk assessment following regulatory expectations.”

The cyber firm recommended never leaving ultrasound devices unattended and blocking incoming connections to workstations that have the clinical software installed and are connected to unprotected networks.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell