GE medical imaging devices impacted by critical cyber vulnerability

Dive Brief:

GE medical imaging devices used by hospitals around the world, including CT scanners and MRI machines, have a cybersecurity vulnerability potentially putting the operation of these systems and the health data contained on them at risk, according to services firm CyberMDX.
The vulnerability, discovered by the firm in May and reported at the time to GE, also impacts certain workstations and imaging devices used in surgery, according to the firm's head of research Elad Luz, who said the medtech giant has been working with customers for most of the year to fix the widespread problem.
GE Healthcare is not aware of any unauthorized access to data or cyber incidents in a clinical situation in which the potential vulnerability has been exploited by hackers. A spokesperson said the company conducted a risk assessment and concluded there is no patient safety concern. However, the U.S. Cybersecurity and Infrastructure Security Agency has given the vulnerability a so-called CVSS score of 9.8 out of 10 (critical severity).

Dive Insight:

The vulnerability, dubbed MDhex-Ray, potentially impacts dozens of GE's radiology product models including CT scanners, MRI and PET machines, as well as mammography and ultrasound devices, according to CyberMDX, which says it is working with GE and CISA to mitigate potential breaches of the hospital systems.

The flaw could allow hackers to gain control of the imaging systems and get access to sensitive patient health information, CyberMDX's Luz warned, noting that GE is a "very popular vendor" for hospital imaging machines.

"They are crucial devices for clinical decision-making," Luz said. "Their downtime is also very expensive" for hospitals and other healthcare facilities should they lose machine functionality.

For a cybercriminal to exploit these vulnerabilities and do potential damage, they must first gain access to a healthcare delivery organization’s network. However, if exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable to that of a remote GE service user.

"A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI," according to CISA's advisory.

GE has identified mitigations and will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible, the advisory notes.

"We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall. Additionally, we are advising the facilities where these devices are located to follow network management and security best practices," a GE Healthcare spokesperson said in an email statement.

The company insists the vulnerability only impacts a single-digit percentage of its customer-installed base of medical imaging and ultrasound devices.

However, Luz said that "given that there are so many devices affected" by the vulnerability it has been "extremely challenging" for GE to conduct a risk assessment for all the impacted products. As a result, he contends GE's customers need to be proactive in taking their own actions to mitigate the problem.

CISA recommends using network security best practices including ensuring proper segmentation of the local hospital network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. The agency says specific ports to consider may include those used for TELNET, FTP, REXEC, and SSHtilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital network.