GE Medical Device Cybersecurity Vulnerabilities Becoming More Public
Medical devices have vulnerabilities.
That’s a simple fact that medical device security experts don’t think too much about because we work on vulnerabilities as you work on patients. And like your patients, we have “frequent flyer” vendors whose devices drop very significant vulnerabilities regularly.
From 2001 to 2014, GE Healthcare has regularly failed to ensure that all of their devices have configurable root passwords. Root passwords. To be clear, these are the most important passwords for the medical device. These passwords often directly lead to the highest level of access, which includes all of your patient images and information. And these passwords get published publicly through the National Institute of Stands and Technology (www.nist.gov), websites that aggregate vulnerabilities (e.g. www.cvedetails.com ), and, of course, through secret channels of anyone who would want to make unauthorized contact with one of these medical devices.
This is a complete list of GE’s previous vulnerabilities (source: https://www.cvedetails.com/vulnerability-list/vendor_id-15545/Gehealthcare.html).
Unfortunately, a recently released advisory indicates that the previously discovered medical device cybersecurity vulnerability was just the surface of the problem.
Homeland Defense’s Cybersecurity and Infrastructure Security Agency recently stated that the following models are all affected by the same sort of vulnerabilities (source: https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01):
Modality | Product |
MR | 3.0T Signa HDxt / 3.0T Signa HDx, versions HD 16, HD23
1.5T Brivo MR355 / Optima MR360, versions SV20.1, SV23.0 1.5T Signa HDx / 1.5T Signa HDx, Signa HDi / Signa VIBRANT, versions HD16, HD23 |
Ultrasound, General Imaging | LOGIQ 5 [BT03], LOGIQ 7 (BT03, BT04, BT06], LOGIQ 9 [BT02, BT03, BT04, BT06] |
Ultrasound, Cardiovascular | Vivid I [BT06], Vivid 7 {BT02-BT06], EchoPAC (Turnkey) [BT06], Image Vault (Turnkey) [4.3] |
Ultrasound, Women’s Health | Voluson 730 [BT05, BT08] |
Advanced Visualization | AW 4.0 to AW 4.6, AWS2.0 to AW3.0 |
Affected versions of the following can be determined by visiting the GE Customer Portal | |
Interventional | Innova 2000, 3100, 4100, 2100-IQ, 3100-IQ, 4100-IQ, 212-IQ, 313-IQ
Optima 320, CL320i, CL323i, CL320, 3100 Optima IGS 320, 330; Innova IGS 5×0, 6×0, 7×0 |
Advanced Visualization | AW 4.0 to AW 4.6, AWS2.0 to AW3.0 |
X-Ray | Brivo XR118, XR383, XR515, XR575; Definium 5000, 6000, 8000, AMX 700; Discovery XR650, XR656, XR656+; Optima XR640, XR646, XR220amx, XR200amx; Precision 500D, WDR1 |
Mammography | Seno 200D, DS, Essential; Senographe Pristina |
Computed Tomography | BrightSpeed Elite, Elite Select, Edge, Edge Select
Brivo CT385 Discovery CT590RT, CT750HD LightSpeed VCT, Pro16, RT16 Optima Advance, CT520, CT540, CT660, CT580, CT580RT, CT580W, CT670, CT680 Quantum, Expert & Professional Revolution EVO,HD,ACT, ACTs, CT, Discovery CT, Frontier, Frontier ES |
Nuclear Medicine, PET/CT | Brivo NM 615
Discovery NM 630, NM 750b, NM D530c, NM/CT D570c, NM/CT 670 Infinia Discovery NM830, NM/CT 860, NM/CT850, NM/CT 870, MI MI DR, IQ Optima NM/CT 640 Ventri Xeleris PET Discovery IQ, IQ upgrade PETrace 800 |
The mitigations for these very significant vulnerabilities are complex and technical, and even with proper mitigations; the risk level as measured by the industry-standard scoring system (Common Vulnerability Scoring System Version 3) indicates that the critical risk vulnerability will only be reduced to a high-risk vulnerability.
Significant medical device cybersecurity vulnerability like these aren’t limited to just GE Healthcare. CE-Tech medical device security analysts have identified similar issues with several manufacturers. As medical device manufacturers continue to improve their security posture, it’s important that you have oversight over your devices and know where your risks lie. That’s where CE-Tech can help.
CE-Tech’s Cybersecurity Team can quickly identify where you’re vulnerable and help you identify practical mitigating strategies to protect your medical devices, your patients, and their data. If you have GE equipment, call CE-Tech today.