Cyber Security company CyberMDX, discovered the flaw, MDhex-Ray, could allow remote exploits that would compromise connected radiology devices – enabling access to and potential manipulation of protected health data.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency announced this week that new vulnerabilities have been detected in an array of radiology tools – CT and PET scanners, mammography devices, MRI machines, ultrasounds, X-rays and molecular imaging devices – from GE.
WHY IT MATTERS
The weak spots, first found by healthcare IoT and cybersecurity company CyberMDX, could enable cyber attacker to gain remote access to protected health and imaging information, alter data and even take the machines offline by running arbitrary code.
CISA has assigned the flaw – which appears to stem from some hard-coded default passwords used by GE – a score of 9.8 on the Common Vulnerability Scoring System – a severity that’s considered critical.
Researchers “discovered this vulnerability after noticing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers across several different HDOs,” “After detecting the anomalies, the research further investigated discovering multiple recurring maintenance scenarios instigated automatically by GE’s server,” researchers explained. “The maintenance protocols rely on the machine having certain services available/ports open and using specific globally-used credentials. These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine.”According to CyberMDX.
The vulnerability, known as MDhex-Ray – it’s been confirmed by GE, which is working with CISA to fix it – could impact a long list of many of the radiological machines mentioned above, according to CyberMDX, and could also affect certain workstations and surgical imaging tools.
THE LARGER TREND
“GE has identified mitigations for specific products and releases and will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible,” said CISA officials the agency’s alert.