GE Medical Device Cybersecurity Vulnerabilities Becoming More Public


Medical devices have vulnerabilities.

 

That’s a simple fact that medical device security experts don’t think too much about because we work on vulnerabilities as you work on patients. And like your patients, we have “frequent flyer” vendors whose devices drop very significant vulnerabilities regularly.

From 2001 to 2014, GE Healthcare has regularly failed to ensure that all of their devices have configurable root passwords. Root passwords. To be clear, these are the most important passwords for the medical device. These passwords often directly lead to the highest level of access, which includes all of your patient images and information. And these passwords get published publicly through the National Institute of Stands and Technology (www.nist.gov), websites that aggregate vulnerabilities (e.g. www.cvedetails.com ), and, of course, through secret channels of anyone who would want to make unauthorized contact with one of these medical devices.

This is a complete list of GE’s previous vulnerabilities (source: https://www.cvedetails.com/vulnerability-list/vendor_id-15545/Gehealthcare.html).


Unfortunately, a recently released advisory indicates that the previously discovered medical device cybersecurity vulnerability was just the surface of the problem.

 

Homeland Defense’s Cybersecurity and Infrastructure Security Agency recently stated that the following models are all affected by the same sort of vulnerabilities (source: https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01):

Modality Product
MR 3.0T Signa HDxt / 3.0T Signa HDx, versions HD 16, HD23

1.5T Brivo MR355 / Optima MR360, versions SV20.1, SV23.0

1.5T Signa HDx / 1.5T Signa HDx, Signa HDi / Signa VIBRANT, versions HD16, HD23

Ultrasound, General Imaging LOGIQ 5 [BT03], LOGIQ 7 (BT03, BT04, BT06], LOGIQ 9 [BT02, BT03, BT04, BT06]
Ultrasound, Cardiovascular Vivid I [BT06], Vivid 7 {BT02-BT06], EchoPAC (Turnkey) [BT06], Image Vault (Turnkey) [4.3]
Ultrasound, Women’s Health Voluson 730 [BT05, BT08]
Advanced Visualization AW 4.0 to AW 4.6, AWS2.0 to AW3.0
Affected versions of the following can be determined by visiting the GE Customer Portal
Interventional Innova 2000, 3100, 4100, 2100-IQ, 3100-IQ, 4100-IQ, 212-IQ, 313-IQ

Optima 320, CL320i, CL323i, CL320, 3100

Optima IGS 320, 330; Innova IGS 5×0, 6×0, 7×0

Advanced Visualization AW 4.0 to AW 4.6, AWS2.0 to AW3.0
X-Ray Brivo XR118, XR383, XR515, XR575; Definium 5000, 6000, 8000, AMX 700; Discovery XR650, XR656, XR656+; Optima XR640, XR646, XR220amx, XR200amx; Precision 500D, WDR1
Mammography Seno 200D, DS, Essential; Senographe Pristina
Computed Tomography BrightSpeed Elite, Elite Select, Edge, Edge Select

Brivo CT385

Discovery CT590RT, CT750HD

LightSpeed VCT, Pro16, RT16

Optima Advance, CT520, CT540, CT660, CT580, CT580RT, CT580W, CT670, CT680 Quantum, Expert & Professional

Revolution EVO,HD,ACT, ACTs, CT, Discovery CT, Frontier, Frontier ES

Nuclear Medicine, PET/CT Brivo NM 615

Discovery NM 630, NM 750b, NM D530c, NM/CT D570c, NM/CT 670

Infinia

Discovery NM830, NM/CT 860, NM/CT850, NM/CT 870, MI MI DR, IQ

Optima NM/CT 640

Ventri

Xeleris

PET Discovery IQ, IQ upgrade

PETrace 800

 

The mitigations for these very significant vulnerabilities are complex and technical, and even with proper mitigations; the risk level as measured by the industry-standard scoring system (Common Vulnerability Scoring System Version 3) indicates that the critical risk vulnerability will only be reduced to a high-risk vulnerability.

Significant medical device cybersecurity vulnerability like these aren’t limited to just GE Healthcare. CE-Tech medical device security analysts have identified similar issues with several manufacturers. As medical device manufacturers continue to improve their security posture, it’s important that you have oversight over your devices and know where your risks lie. That’s where CE-Tech can help.

CE-Tech’s Cybersecurity Team can quickly identify where you’re vulnerable and help you identify practical mitigating strategies to protect your medical devices, your patients, and their data. If you have GE equipment, call CE-Tech today.