Le Lézard
Classified in: Health, Science and technology
Subject: PDT

CyberMDX Research Team Discovers Collection of GE Medical Device Vulnerabilities -- "MDhex"


NEW YORK, Jan. 23, 2020 /PRNewswire/ -- A collection of six cybersecurity vulnerabilities has been discovered in a range of GE Healthcare devices popular in hospitals, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) disclosed today. The vulnerabilities, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to make changes at the software level of the device, with possible ramifications including rendering the device unusable, interfering with device functionality, certain changes to alarm settings, and exposure of PHI.

The CyberMDX research team found these vulnerabilities ? collectively referred to as "MDhex" ? while investigating the use of deprecated webmin versions and potentially problematic open port configurations in GE's CARESCAPE CIC Pro workstation. The investigation ultimately turned up six different design flaws all constituting high-severity security vulnerabilities present in GE CARESCAPE Patient Monitors, ApexPro, and Clinical Information Center (CIC) systems. Five of the vulnerabilities were given CVSS (v3.1) values of 10, while the remaining vulnerability scored an 8.5 on the National Infrastructure Advisory Council's (NIAC) 1-10 scale for assessing the severity of computer system vulnerabilities.

Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe. Affected products include certain versions of the CARESCAPE Central Information Center (CIC), Apex Telemetry Server/Tower, Central Station (CSCS), Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.

This bundle of six vulnerabilities was first reported on September 18, 2019. In the ensuing months, CyberMDX, GE, and CISA collaborated to confirm the vulnerabilities, audit their technical details, evaluate the associated risk, and work through the responsible disclosure process. Today, those efforts culminated in CISA's release of an official advisory ? ICSMA-120-023-01.

CyberMDX Head of Research, Elad Luz, commented, "Our goal is to bring these issues to the attention of healthcare providers so that they can be quickly addressed ? contributing to safer, more secure hospitals. As such, every disclosure is another step in the right direction. The speed, responsiveness, and seriousness with which GE treated this matter is very encouraging. At the same time, there remains work to be done and we are eager to see GE issue security patches for these vital devices."

Each of the six vulnerabilities are predicated on a different aspect of the devices' design and configuration. For instance, one of the vulnerabilities concerns exposed private keys enabling SSH abuses, while another enables rogue SMB connections as a result of credentials hard-coded in Windows XP Embedded (XPe) operating system. The common element across the MDhex vulnerabilities ? beyond the devices they affect and their shared point of discovery ? is that they all present a direct path to the device's compromise; whether  by way of illicit control, read, write, or upload capabilities. If exploited, this vulnerability could directly impact the confidentiality, integrity, and availability of devices.

The discovery of these vulnerabilities is the latest in a fast growing list of examples highlighting the need for all medical device stakeholders to redouble their vigilance in protecting patient safety ? improving the security and resiliency of medical devices, both pre-market and post-market.

More information on the vulnerability can be found here.

About CyberMDX's Cybersecurity Research & Analysis Team

CyberMDX's research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team's researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.

About CyberMDX

A pioneer in medical cybersecurity, CyberMDX is the company behind the leading IoMT visibility and security solution. CyberMDX identifies, categorizes, and protects connected medical devices ? ensuring resiliency as well as patient safety and data privacy. With CyberMDX's continuous endpoint discovery & mapping, comprehensive risk assessment, AI-powered containment & response, and operational analytics, risks are easily mitigated and assets optimized. For more information, please click here.

Contact:
Jon Rabinowitz
VP Marketing
CyberMDX
+1-646-794-4241

SOURCE CyberMDX


These press releases may also interest you

at 04:28
GymNation, the homegrown UAE fitness brand, has today announced that due to unprecedented growth, it is reaching capacity across its 12 UAE gym locations and diversifying into a new market, brewing up a storm with the launch of its first-ever branded...

at 04:00
Cancer spreads from its primary tumor to other parts of the body via blood or the lymphatic system in a process termed 'metastasis'. This usually represents an advanced stage in the disease's progression and tends to be fatal. Therefore, preventing...

at 03:30
Vicore Pharma Holding (STO:VICO)Sessions at ATS to include an oral late-breaking presentation of the final results from the Phase 2a AIR trial of buloxibutid (C21) in IPFAdditional presentations include preclinical and translational data reflecting...

at 03:13
Orexo's Annual and Sustainability Report for 2023 has been published and can be downloaded at, www.orexo.com. The Swedish version of the Report is also available on the company's website in European Single Electronic Format (ESEF). A PDF version is...

at 03:05
Surge has just closed its second round of funding, raising ?7.5 million. The round was led by Eurazeo with the participation of Kima, Teampact, and MH Innov', as well as the support of historical funds Boutique Venture, HCVC, and 50 Partners Santé....

at 03:00
CSL Vifor is pleased that its partner Akebia Therapeutics, Inc. today announced that the U.S. Food and Drug Administration (FDA) has approved Vafseo (vadadustat) tablets for the treatment of anemia due to chronic kidney disease (CKD) in adults who...



News published on and distributed by: