by John R. Fischer
, Senior Reporter | January 23, 2020
Six cybersecurity vulnerabilities have been uncovered in specific GE Healthcare monitoring solutions used at hospitals, reports the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The flaws — referred to as MDhex — run the risk of being exploited by attackers, who could gain access and make changes to the software, potentially rendering the systems unusable, interfering with their functionality, manipulating their alarm settings, and exposing private healthcare information.
“Maintaining the safety and security of our devices is a top priority,” a GE Healthcare spokesperson told HCB News. “We are instructing the facilities where these devices are located to follow network management best practices and are developing a software patch with additional security enhancements. We are not aware of any incidents where these vulnerabilities have been exploited in a clinical situation.”
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
The vulnerabilities were found by healthcare cybersecurity provider CyberMDX, whose research team came across them while investigating the use of deprecated Webmin versions and potentially problematic open port configurations in GE’s Carescape CIC Pro workstation. The issues were all ranked as high-severity security vulnerabilities, with five given a CVSS (v3.1) value of 10, while the sixth received an 8.5 on the National Infrastructure Advisory Council’s (NIAC) 1-10 scale for assessing the severity of computer system vulnerabilities.
Among the affected products are certain versions of the Carescape Central Information Center (CIC), Apex Telemetry Server/Tower, Central Station (CSCS), Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. The install base of these products is believed to be in the hundreds of thousands and they have been adopted by hospitals across the globe.
Each of the flaws pertains to a different aspect of the design and configuration of the devices. One involves private keys enabling SSH abuses, while another allows rogue SMB connections to occur due to credentials hard-coded in Windows XP Embedded (XPe) operating systems.
The vulnerabilities were reported in September 2019, with CyberMDX, GE and CISA working over the next few months to confirm the flaws, audit their technical details, evaluate associated risks, and abide by the responsible disclosure process.
“Even without any hacking, most of the credentials to do with these vulnerabilities can be found in publicly available documentation,” said Elad Luz, head of research at CyberMDX. “This is a good case in point for the fact that the problem with medical device security is not one of a lack of sufficient cyber expertise or sophistication on the part of the manufacturers, but of a complete lack of attention and basic consideration given to the issue during the design and manufacturing of the product. Practices like these, which are commonplace among medical device manufacturers, reflect an institutional absence of cyber awareness that should be present while designing the products.”
GE is currently developing software updates with additional security enhancements, and encourages its users to check its security website for the most up-to-date information and to subscribe to notifications that will alert them when patches become available.
Providers in the meantime — as long as it is not absolutely necessary for the device's core clinical functionality — are encouraged to utilize firewalls to block the following ports: 22 (SSH); 445/137 (SMB); 5225 (MultiMouse); 5800/5900 (VNC); 10000 (Webmin); and 10001 (GE update manager).
They also are advised to make sure that Carescape deployment is configured according to the network topology designed by GE, that the MC and Rx networks are isolated, and that the IX networks are set up outside of a broader hospital network and routed to it through a firewall.