A large number of GE Healthcare medical devices have a vulnerability that could put patient safety and privacy at risk. 

On December 9th, two separate credential reuse vulnerabilities, known as MDHexRay, were detected in twenty-four separate product families in GE Healthcare's imaging business, according to an NHS Digital Cyber Alert. These vulnerabilities affect a wide range of GE Healthcare’s imaging and ultrasound products and could be used to obtain sensitive patient information or issue commands on the infected systems. 

Credential Reuse

Both vulnerabilities are the result of default credential reuse in GE Healthcare’s Unix-based operating systems installed on the infected products. Default credentials are used to remotely administer and maintain GE Healthcare products for updates, patches, and maintenance, and were freely available through GE Healthcare's customer portal. Any user with prior access to these would be able to log into an affected product and alter system settings or expose data in transit. The vulnerability was first noticed in late May 2020, and since then, numerous GE-affected devices have been discovered.  

Affected Devices

MDHexRay affects more than 20 product families across GE Healthcare's advanced visualization, CT, interventional, mammography, MRI, PET, ultrasound, and x-ray modalities. The MDHexRay vulnerability designated CVE-2020-25179, has received a severity score of 9.8/10 and has been found in more than 100 CT, X-Ray, and MRI device models, in various product lines from GE Healthcare.

GE Healthcare told BleepingComputer “We are not aware of any unauthorized access to data or an incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”

Given the large number of vulnerable devices, finding a solution to this systematic flaw is going to be difficult. It could take years for a patch to reach the entire customer base and device maintenance can be costly.

Remediation Advice

GE Healthcare has since confirmed that it is contacting customers to change the default credentials. Affected organizations are encouraged to log in to their GE Healthcare Product Security Portal accounts to ensure these are changed immediately. Affected organizations are also encouraged to restrict and monitor the following ports:

• FTP (port 21)
• SSH (port 22)
• Telnet (port 23)
• REXEC (port 512)

For more details, please refer to https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01 

Security Vulnerability Prevention

Medical data can easily be exploited unless proper security measures are taken. Security vulnerabilities such as these are 100% preventable when HDOs and medical device vendors adopt sound password policies and utilize multi-factor authentication. Unfortunately, GE is not alone in using shared credentials for administering medical devices or for discovering critical security vulnerabilities in medical devices years after manufacture. Medical and other healthcare IoT (HIoT) devices pose some of the greatest cybersecurity and privacy risks to hospitals and other healthcare providers putting patient safety in jeopardy.

"Yet most hospitals have little to no idea what medical device assets connect to their networks or what risks each poses to patient safety or the confidentiality, integrity, and availability of protected health data" claimed Richard Staynings, Cylera's Chief Security Strategist during a recent webinar appearance.

To discover what HIoT assets connect to your healthcare network, talk to us about a no-cost POC or schedule a demo of how Cylera's MedCommand may be able to help you.