Access Management , Endpoint Security , Identity & Access Management

Authentication Flaws Found Again in GE Medical Imaging Gear

DHS CISA, GE Healthcare Issue Advisories Describing Problem
Authentication Flaws Found Again in GE Medical Imaging Gear
DHS: Authentication flaws in certain GE Healthcare medical imaging gear can potentially put patient data at risk for attacks.

Critical authentication vulnerabilities contained in certain GE Healthcare medical imaging and ultrasound products could allow attackers to gain access to sensitive patient data, alter data and affect the availability of the equipment, according to advisories issued Tuesday by the vendor and the U.S. Department of Homeland Security.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The vulnerabilities involving default passwords, recently identified by security researchers at healthcare sector security vendor CyberMDX, are scored as CVSS v3 9.8 and are exploitable remotely with a low level of skill, the advisories from GE Healthcare and DHS’ Cybersecurity and Infrastructure Security Agency warn.

Specifically, CISA notes that the vulnerabilities involve “unprotected transport of credentials” and “exposure of sensitive system information to an unauthorized control sphere.”

Successful exploitation of these vulnerabilities could occur if an attacker gains access to the healthcare delivery organization’s network, CISA says.

“If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE remote service user privileges,” CISA notes. “A successful exploitation could expose sensitive data such as a limited set of patient protected health information or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”

No Reported Attacks

In its advisory, GE Healthcare says there have been no reported incidents in a clinical use setting of such a cyberattack occurring, or any reported injuries as a result of this issue.

The vulnerabilities affect a range of certain GE Healthcare radiological products, including CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-ray machines, ultrasound devices and some workstations and imaging devices used in surgery, DHS CISA notes.

Earlier Findings

GE Healthcare notes in its advisory that, in 2018, it worked with a different security researcher on a vulnerability disclosure that was also about the use of default passwords in certain GE Healthcare medical devices, which also resulted in a DHS alert issued in March 2018 (see:

In its latest advisory on Tuesday, however, GE Healthcare said that another third-party researcher – this time from CyberMDX - found that “the combination of default passwords with a version of remote service functionality may allow for a malicious party to gain a level of access at least comparable to a GE remote service user.”

The potential vulnerability “is not directly accessible from outside the customer’s network, since the protection of this remote service connection runs to within the network boundary,” GE Healthcare says.

“However, exposure of the connection traffic on the customer’s network to the medical device may allow for a malicious party to use the vulnerability to gain access to the device.”

Mitigation Steps

In its alert, CISA says GE Healthcare “has identified mitigations for specific products and releases and will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible.”

In addition to the product-specific recommendations, GE Healthcare says it recommends that customers use “clinical network security best practices,” including:

  • Ensure proper segmentation of the local hospital/clinical network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for Telnet, FTP, REXEC, and SSH;
  • Use IPSec VPN and explicit access rules at the internet edge before forwarding incoming connections to the local hospital/clinical network.

GE Healthcare's Response

A GE Healthcare spokesperson tells Information Security Media Group that vulnerabilities identified by CyberMDX affect “a single-digit percentage of our imaging and ultrasound installed equipment” worldwide.

”The possible security vulnerabilities are limited to certain older versions of medical imaging devices which were developed when the medical device industry as a whole subscribed to a different level of security standards,” the spokesperson says.

To help mitigate the issues, GE Healthcare is providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall, the spokesperson says. “Additionally, we are advising the facilities where these devices are located to follow network management and security best practices.”

GE Healthcare adds that it has “conducted a full risk assessment and concluded that there is no patient safety concern.”

’Very Serious’ Issue

Elad Luz, head of security research at CyberMDX and one of the firm’s researchers who identified the latest GE Healthcare imaging product security flaws, tells ISMG that he considers the vulnerabilities to be “very serious” for several reasons.

“They impact medical devices that are critical for diagnosing patients, successful exploitation results in potentially impacting the device availability and/or altering its results, and the execution complexity of the attacks is very easy - using third party software, such as an FTP client, a Telnet client, and so on, with the generic credentials.”

Potentially, patient PHI may be accessible for read/write access and may also be manipulated, he adds.

Unsecured Communication

In a company statement about its latest findings, CyberMDX says its team discovered the latest authentication vulnerability in the GE Healthcare medical imaging gear “after noticing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers across several different healthcare delivery organizations.”

After detecting the anomalies, the researchers discovered multiple recurring maintenance scenarios that were instigated automatically by GE's server, CyberMDX says.

“The maintenance protocols rely on the machine having certain services available/ports open and using specific globally used credentials,” CyberMDX says. “These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine.”

When connecting medical devices to a network, healthcare providers usually also supply vendors with remote access for them to service the products, Luz tells ISMG.

“We strongly advise checking that those are secured, using secure protocols and reliable authentication methods. If there is any uncertainty regarding those factors, we advise reaching out to the vendor to fill the knowledge gaps.”

Common Problem?

So how common are these types of authentication vulnerabilities in other medical device products?

”Unfortunately, speaking about authentication in general - not necessarily hardcoded credentials - my impression is that the majority of medical devices suffer from those issues,” Luz says.

In fact, earlier this year, Luz identified six other vulnerabilities, including those involving the use of hardcoded credentials, in GE Healthcare patient monitoring products, which were also the subject of a separate DHS alert (see:

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.