HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products

Two critical severity vulnerabilities have been identified in GE Healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. The vulnerabilities affect GE Healthcare’s proprietary management software and impact more than 100 GE Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT devices.

Affected GE Healthcare Products

Device Product Families
MRI Brivo, Optima, Signa
Ultrasound EchoPAC, Image Vault, LOGIQ, Vivid, Voluson
Advanced Visualization AW
Interventional Innova, Optima
X-Ray AMX, Brivo, Definium, Discovery, Optima, Precision
Mammography Seno, Senographe Pristina
Computed Tomography BrightSpeed, Brivo, Discovery, Frontier LightSpeed, Optima, Revolution
Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, PET Discovery, PETtrace, Ventri, Xeleris

The vulnerabilities were identified by Lior Bar Yosef and Elad Luz of CyberMDX who reported them to GE Healthcare in May 2020. CyberMDX has dubbed the flaws MDHexRay, with both being assigned a CVSS v3 base score of 9.8 out of 10.

The first flaw is due to unprotected transport of credentials across the network and is tracked as CVE-2020-25175. The second flaw is due to the exposure of sensitive system information to an unauthorized control sphere, which could allow exposed/default credentials to be used to access or modify sensitive information.

The CyberMDX researchers found GE Healthcare’s maintenance protocols relied on having certain ports open and accessible to GE Healthcare to allow the devices to be remotely managed over the internet. While it is necessary for credentials to be used for the update and maintenance software, GE Healthcare would only change the default credentials at the request of a customer and the default credentials used by GE Healthcare could be easily found online. It is unclear how many customers requested the default credentials be changed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Exploiting the vulnerabilities would require an attacker to already be connected to the hospital network. The default credentials could then be used to access vulnerable connected imaging devices and any data stored on the devices. The medical devices could not be accessed over the Internet by unauthorized users who do not have access to a hospital’s internal network. There are no reported cases of the vulnerabilities being exploited in the wild.

GE Healthcare has assessed the vulnerabilities and conducted a risk assessment and determined there are no patient safety concerns; however, the flaws do pose a risk to patient privacy. It would also be possible for an attacker to modify patient data, which could potentially influence the results of certain therapies. Since data only remains on the imaging machines for a limited amount of time before being transferred to PACS, the patient information that could be obtained or modified would be limited.

According to the DHS Cybersecurity and Infrastructure Security Agency (CISA), “If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges. A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”

While there is no patch available to correct the vulnerabilities, it is possible to mitigate the issue by changing the default password; however, that cannot be performed by end users, only by GE Healthcare. GE Healthcare is now notifying its customers and is helping affected customers change the default password and ensure that their product firewalls are set up properly. Customers are also being advised to follow best practices for network management and security. CyberMDX recommends restricting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listening state.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.