Several potentially serious vulnerabilities have been found in patient monitoring products made by GE Healthcare, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and healthcare cybersecurity firm CyberMDX revealed on Thursday.
The vulnerabilities were discovered by CyberMDX researchers during an investigation into GE’s CARESCAPE Clinical Information Center (CIC) Pro product. The analysis ultimately resulted in the discovery of six flaws across CIC Pro, patient monitors, servers, and telemetry systems.
The vulnerabilities, a majority of which have been assigned critical severity ratings, have been collectively called MDhex by CyberMDX. According to the cybersecurity firm, they can be exploited to make devices unusable or interfere with their functionality, change alarm settings, and obtain protected health information (PHI).
One of the vulnerabilities can be exploited to establish a remote SMB connection and read or write files on the system. An attacker can connect to the targeted system using hardcoded credentials that are shared across CARESCAPE devices and which can be easily obtained by performing a password recovery on the Windows XP operating system embedded in affected devices.
CyberMDX researchers also discovered hardcoded VNC credentials, which can be easily obtained from product documentation.
GE Healthcare has also inadvertently exposed SSH private keys, making it possible for hackers to remotely connect to devices and execute malicious code.
Another vulnerability is related to the presence of the KaVoom! KM keyboard-mouse software, which enables users to centrally manage multiple workstations. While this functionality can be useful for legitimate users, it can also be abused by malicious actors to change device settings and alter data.
The researchers also found that the Webmin system configuration tool present on affected devices is old and full of known vulnerabilities.
Finally, they discovered that the software update manager running on impacted GE devices does not properly verify updates, allowing an attacker to cause a DoS condition or install malicious software.
Elad Luz, head of research at CyberMDX, told SecurityWeek that the vulnerabilities, particularly the ones involving hardcoded credentials, are not difficult to exploit, and an attack could potentially be routed from the internet given that hospitals are typically not isolated from the internet.
GE Healthcare is working on developing patches for these vulnerabilities and the updates, which will contain additional security enhancements as well, should become available in the second quarter of 2020. In the meantime, the company has advised facilities using the affected devices to follow network management best practices in order to prevent potential attacks.
The company is not aware of any incidents involving these vulnerabilities and it has pointed out that monitoring devices contain minimal PHI, such as name and basic vitals, but not databases of stored information. Furthermore, even this minimal data is only stored on monitoring devices for a brief period — depending on the device and its configuration — and in most cases it should be deleted when the patient is discharged.
This is not the first time CyberMDX has found flaws in GE Healthcare products. Last year, the cybersecurity company reported discovering weaknesses in anesthesia machines.
GE initially downplayed the severity of the flaws and said they don’t pose any risk to patients, but later admitted that their exploitation can have serious consequences.