Vulnerabilities Found in Some GE Healthcare DevicesRegulators Issue Alerts; Patches on the Way
Federal regulators are warning healthcare providers about six vulnerabilities in some of GE Healthcare's medical device systems that could allow attackers to remotely take control of the gear.
Alerts issued Thursday by the Food and Drug Administration and the Department of Homeland Security spotlight vulnerabilities identified recently by security research firm CyberMDX in various GE Healthcare clinical information central stations and telemetry servers.
The affected products collect and display data, including patients' physiological status - such as temperature, heartbeat, blood pressure - as well as patient demographic or other nonmedical information, the FDA notes.
The FDA notes that GE Healthcare will be issuing patches to address the vulnerabilities.
GE Healthcare also issued a security advisory about the CyberMDX findings, noting that there have been no reported incidents of hacker attacks involving affected products in clinical use or any reported injuries associated with any of these vulnerabilities.
The company says the vulnerabilities, if exploited, "could possibly result in a loss of monitoring and/or loss of alarms during active patient monitoring. The vulnerability and related risk of exploitation is higher if the [affected] networks are improperly configured."
The GE Healthcare product vulnerabilities are the latest example of the medical device cybersecurity challenges the healthcare sector faces.
"Healthcare delivery professionals and patients deserve to have confidence in the safety and efficacy of medical devices," says Kevin Fu, and a professor at the University of Michigan and founder and chief scientist of its Archimedes Center for Medical Device Security.
"We have a long way to go to protect medical devices, and I expect to see many more cybersecurity problems related to alarms and alarm fatigue. We put too much blind trust in software."
Former healthcare CISO Mark Johnson, who's now with the consulting firm LBMC Information Security, notes that the identified issues in the GE Healthcare products spotlight security problems similar to those faced in other sectors.
"Outside of phishing, attackers are targeting the internet of things in general," he says. "These devices were generally not designed or built with security in mind.
"If we look at the general cyber news reporting on the rise of botnets, some of these have been attributed to susceptible IoT devices. Medical devices are a unique subset of IoT and ... vulnerabilities in IoT and medical devices will continue now and the foreseeable future."
In its warning, DHS says the vulnerabilities include:
- Unprotected storage of credentials;
- Improper input validation;
- Use of hard-coded credentials;
- Missing authentication for critical function;
- Unrestricted upload of file with dangerous type;
- Inadequate encryption strength.
"Successful exploitation of these vulnerabilities could occur when an attacker gains access to the mission critical and/or information exchange networks due to improper configuration or physical access to devices," DHS says.
"These vulnerabilities, if exploited, may allow an attacker to obtain PHI data, make changes at the operating system level of the device, with effects such as rendering the device unusable, otherwise interfering with the function of the device and/or making certain changes to alarm settings on connected patient monitors, and/or utilizing services used for remote viewing and control of devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms."
In a statement, CyberMDX says five out of the six vulnerabilities have been rated a maximum 10/10 severity, while the final vulnerability has been graded as a high severity vulnerability with a score of 8.5/10.
The affected GE Healthcare equipment includes the Carescape Telemetry Server, ApexPro Telemetry Server, Carescape Central Station and Clinical Information Center systems, Carescape B450, B650, B850 monitors.
In a statement, GE Healthcare tells Information Security Media Group: "We are instructing the facilities where these devices are located to follow network management best practices and are developing a software patch with additional security enhancements. We are not aware of any incidents where these vulnerabilities have been exploited in a clinical situation."
While GE Healthcare says the majority of the affected devices are located in the U.S., the company does not disclose its installed base numbers for individual products.
In its alert, the FDA notes: "The risk posed by the vulnerabilities can be reduced by segregating the network connecting the patient monitors with the GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network. Use firewalls, segregated networks, virtual private networks, network monitors or other technologies that minimize the risk of remote or local network attacks."
White Hat Analysis
Elad Luz, head of security research at CyberMDX, tells ISMG that most of the identified flaws would allow hackers to compromise a line of patient monitoring products with relatively little effort.
"More specifically speaking, some of the vulnerabilities can be exploited by using hard-coded credentials together with publicly available software - i.e. Windows file sharing, VNC, SSH - in an attack that may lead to PHI theft and/or modifying the functionality of patient monitors."
Luz says CyberMDX became aware of the potential vulnerability "when it was brought to our attention by an alert generated by our solution that a specific [GE] product was allowing incoming traffic on a range of management ports, and in addition was running a deprecated version of Webmin. This led to a more in-depth examination of the specific product, which ultimately resulted in CyberMDX reporting six vulnerabilities to GE on Sept. 18, 2019."
Healthcare organizations using the affected products should take several critical steps, says Johnson, the consultant.
"Patch when the patches are available. These should be considered critical patches, and they need to be expedited into the operational infrastructure as soon as available," he says.
"Second ... is segmentation. The alerts from DHS, FDA and GE all say that isolation or segmentation is the first thing any organizations should do. We have been talking to our clients for over a year about this very thing," he notes.
"Lastly I'd say if I were a healthcare CIO or CISO and seeing yet another alert on medical device security, and if I need to segment my network to protect these devices, I would look very hard at the projects I have set up for this year. "If segmentation is not on my list of projects, it should be. If it is, then it needs to get a higher priority."