The U.S. Dept. of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed the vulnerability yesterday after CyberMDX discovered that it could affect dozens of radiological devices by allowing an attacker to gain access to sensitive data, alter data and impact the availability of the machine, according to a news release.
CyberMDX discovered the vulnerability after observing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers. Research uncovered multiple recurring maintenance scenarios instigated automatically by GE’s server.
Maintenance protocols rely on the machine having certain services available and/or ports open while using specific credentials, which can provide hackers with easy access to crucial medical devices and allow them to run arbitrary code on impacted machines, CyberMDX said.
GE Healthcare confirmed that the vulnerability impacts a number of devices including CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-ray machines and ultrasound devices. Additionally, the vulnerability impacts certain workstations and imaging devices used in surgery.
The company said that there is no patient safety concern associated with the potential vulnerability.
“We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation,” a GE Healthcare spokesperson told MassDevice via email. “We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”
Cybersecurity firms test for vulnerabilities directly on a device, while a potential hacker would need to navigate through a health facility’s clinical network security and firewalls. If successful in doing so, imaging data is generally not stored on diagnostic imaging devices long-term, so with personal health information on the devices limited, a breach of personal or health information is unlikely.
“Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,” CyberMDX head of research Elad Luz said in the news release. “Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”
This story was updated with information from GE Healthcare.