Written by Sean Lyngaas
Security researchers have discovered a software vulnerability that could allow an attacker to steal sensitive patient data from X-ray and MRI machines, or more than 100 models of General Electric medical devices.
While there is no evidence that hackers have exploited the vulnerability for their own gain, the flaw points to the recurring issue of health care devices sending patient information over insecure channels. In this case, the maintenance software for the GE medical devices used publicly-exposed login credentials, which could allow attackers to execute code on the devices.
“The bigger picture here is authentication and it’s a problem that’s unfortunately typical for medical devices,” said Elad Luz, a researcher at CyberMDX, the medical security company that publicly disclosed the vulnerability on Tuesday.
Using the vulnerability to steal patient data would require a malicious hacker to first gain access to a health care organization’s computer network. Actually leveraging the bug would not require much skill, according Luz.
CyberMDX researchers reported the issue to GE, one of the largest medical-device vendors in the world, in May. The owners of the affected GE devices can’t replace the vulnerable credentials themselves; GE has to do it for them. The process is ongoing.
“We have conducted a full risk assessment and concluded that there is no patient safety concern,” said a spokesperson for GE’s health care unit. “We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall. Additionally, we are advising the facilities where these devices are located to follow network management and security best practices.”
Security experts have gone to greater lengths to probe sensitive medical equipment as hospitals grow more reliant on connected devices. New York-based CyberMDX has often been at the center of the discoveries. The firm in July 2019 reported a flaw in technology underpinning GE anesthesia and respiratory devices, and separate vulnerabilities in GE’s patient monitors in January.
The U.S. Food and Drug Administration has since dedicated more resources to working with security researchers to fix such security issues.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency amplified the CyberMDX discovery on Tuesday and pointed health care organizations to GE’s security advice. The advisory said only that a “limited set” of patient data could be exposed by an attacker.
There are no known exploits for the vulnerability, according to CISA.
Stephanie Domas, executive vice president at MedSec, another medical device security firm, said vulnerabilities are increasing affecting whole families of devices.
“While the number of medical device vulnerabilities disclosed this year has decreased, the complexity of what has been disclosed has increased,” Domas said. “This vulnerability is not isolated to one specific device, it’s an entire family of devices, which increases the potential impact to the ecosystem.”
Trend “is a testament to the maturation of medical device cybersecurity” in that researchers are exploring more complex issues, Domas added.