Researchers have discovered a critical vulnerability in radiology equipment supplied by GE Healthcare that may allow the devices to connect to malicious servers.
Devices widely used for CT scans, MRIs, mammograms, X-Rays, ultrasounds and positron emission tomography supplied by the vendor have been found vulnerable to potential remote access, according to CyberMDX researchers.
The reason is that GE supplies these radiology gizmos with default passwords and several open ports for remote access by its technicians. However, as reported by Dan Goodin for Ars Technica:
“The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers.”
Healthcare institutions can’t change the passwords themselves – they must summon a GE Healthcare technician to do it. Now that the cat’s out of the bag, customers who don’t address the issue remain vulnerable to attack.
The discovery, which occurred in May, prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an urgent notice to affected healthcare providers, advising them to take mitigation steps sooner rather than later.
GE recommends users refer to the GE Healthcare Product Security Portal for details on mitigations and how proactive actions may apply to affected devices, and recommends employing “clinical network security best practices,” according to the advisory.
Those steps include:
- Ensure proper segmentation of the local hospital/clinical network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for TELNET, FTP, REXEC and SSH
- Utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital/clinical network
“We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation,” a GE spokesperson told Ars and CSO. “We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”
The GE representative assured the news outlets that the company is providing “on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall.”
The spokesperson doesn’t say whether this assistance must be requested or is pro-actively offered to affected healthcare units.
The CISA advisory includes the full list of affected products and a risk evaluation, with the vulnerability assigned a critical score of 9.8 on the CVSS benchmark.