CyberMDX has reported cyber security vulnerabilities in CT scanners, MRI and PET machines, mammography, and ultrasound devices produced by GE. This could potentially result in the release or modification of patient data.
This vulnerability, called MDhex-Ray, impacts several GE machines including devices utilized during surgery. It was identified during an examination of patterns of unsecured communications of medical devices and vendor servers.
The vulnerability is a result of hardcoded default passwords that are challenging to uncover, but easy to exploit. Maintenance protocols require specific services or ports to be open while using credentials. A hacker could use malware to trick a certified user into opening one of these services, giving them access to patient data and control over affected devices.
If a hacker is able to gain access to a healthcare delivery organization network, the release and altering of patient data is possible. With a vulnerability such as this, patient treatment and records could be hindered, and the machine’s availability may also be compromised. A researcher at CyberMDX claims that many customers were not aware of the possible vulnerabilities. In order to take action, a patient must rely on a GE engineer to change the password on site. GE claims that they are unaware of any unauthorized access that caused exploitation due to the vulnerability.
GE Healthcare has conducted a risk assessment and stated that patients should not have safety concerns. The company also claims that the vulnerability only impacts a single digit percentage of its affected devices. A researcher at CyberMDX states it has been “extremely challenging” for GE to conduct assessments with so many affected products.
The U.S. Cybersecurity and Infrastructure Security Agent gave the MDhex-Ray a CVSS score of 9.8 out of 10, meaning critical severity. Just a year ago, vulnerabilities were reported in other GE equipment and the company later admitted that the vulnerabilities could have led to patient injury after the products’ initial clearing. GE states that they have been working with customers for about a year to fix these problems. Despite its current struggles, GE states they are taking proactive measures to ensure patient safety.