A cybersecurity vulnerability discovered in more than 100 medical devices from GE Healthcare could compromise patient data, cybersecurity company CyberMDX said Tuesday.
It's the latest example of how medical devices—increasingly connected to the internet or internal hospital networks—could provide another window for hackers targeting healthcare.
The flaw discovered by CyberMDX's research team affects 104 types of radiological devices including CT scanners, X-ray machines and ultrasound devices, across product lines like GE Healthcare's Innova, Optima, Brivo, Definium, Precision, Discovery, Seno, Revolution, Odyssey, PETtrace, Ventri and Xeleris, according to CyberMDX.
There's no evidence to suggest malicious hackers have exploited the vulnerability.
However, a hacker potentially could use it to disrupt the devices, gain access to patient health data held in the devices or even alter such data, said Elad Luz, CyberMDX's head of research.
That earned the flaw a severity score of 9.8 on the National Infrastructure Advisory Council's 10-point scale for assessing cybersecurity vulnerabilities, according to an advisory that the Cybersecurity and Infrastructure Security Agency—a federal agency that's part of the Homeland Security Department—published Tuesday.
From January 2017 to December 2019, Homeland Security's Industrial Control Systems-Cyber Emergency Response Team pushed out 66 such advisories on cybersecurity flaws disclosed by medical device manufacturers, according to data compiled by cybersecurity company MedCrypt this year.
CyberMDX's research team discovered and reported this latest vulnerability to GE Healthcare in May after noticing the company's maintenance protocols for the affected devices relied on having certain ports open and accessible to GE Healthcare, so that the company could manage the devices remotely via the internet. While the update and maintenance software on the devices requires credentials, the default credentials that GE Healthcare uses could be found online, according to Luz.
The credentials are only updated by GE Healthcare's support team at a customer's request; otherwise, they're left as the default credentials, he said.
It wouldn't be possible for an unauthorized user to access the medical devices from anywhere—but, if a hacker connected to a hospital's internal network and entered the default credentials, they could be able to access the devices and patient data that's stored on the equipment.
A GE Healthcare spokesperson wrote via email that the company has conducted a risk assessment and concluded that "there is no patient safety concern."
GE Healthcare is helping customers with affected devices change credentials and ensure product firewalls are set up properly, as well as advising customers to follow best practices for network management and security.
"Maintaining the safety, quality and security of our devices is our highest priority," the company spokesperson wrote in an emailed statement. "We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation."
Luz advised that hospitals review whether their radiological devices include any of the models affected by the vulnerability, and if so, set up network policies that restrict ports so that they can only be used by GE Healthcare's servers, as well as contacting GE Healthcare to request the credentials be changed.
"I think that's going to be the challenging part—understanding whether you have affected devices and where they're located in your network," Luz said.