GE Puts Default Password In Radiology Devices, Leaving Healthcare Networks Exposed

An anonymous reader quotes a report from Ars Technica: Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a private security firm said on Tuesday. The devices — used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography — use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers.

Aggravating matters, customers can’t fix the vulnerability themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don’t make such a request will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information. The flaw has a CVSS severity rating of 9.8 out of 10 because of the impact of the vulnerability combined with the ease of exploiting it. Security firm CyberMDX discovered the vulnerability and privately reported it to the manufacturer in May. The US Cyber Security and Infrastructure Security Agency is advising affected healthcare providers to take mitigation steps as soon as possible.

In a statement, GE Healthcare officials wrote: “We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority. We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall. Additionally, we are advising the facilities where these devices are located to follow network management and security best practices.”