NHS alerted to severe vulnerabilities in GE health equipment

Healthcare organisations around the world are inadvertently putting both the health and personal data of patients at risk, according to new disclosures from medical cyber security specialists CyberMDX and US cyber security agency CISA.

CISA issued an advisory on 23 January, containing six high-severity common vulnerabilities and exposures (CVEs) for various General Electric (GE) patient monitoring products in widespread use, the Carescape, ApexPro and Clinical Information Centre (CIC) systems.

“Our goal is to bring these issues to the attention of healthcare providers so they can be quickly addressed – contributing to safer, more secure hospitals,” said CyberMDX research head Elad Luz. “As such, every disclosure is another step in the right direction.”

The vulnerabilities are collectively referred to as MDHex, and were uncovered by Luz and his team when they investigated the use of deprecated Webmin versions and open port configurations in GE’s Carescape CIC Pro workstation.

They turned up six high-severity design flaws in the Carescape product line, which could collectively have enabled hackers to make changes to the device software, with consequences including leaving vital medical equipment unusable, interfering with its functionality, changing medical alarm settings and exposing patients’ health data.

The vulnerabilities each hinge on a different aspect of the various devices’ design and configuration – one concerns exposed private keys that could enable secure socket shell (SSH) abuse, while another enables rogue sever message block (SMB) connections thanks to hard-coded credentials in the Windows XP Embedded operating system.

The common thread is that they all have a direct path to compromise, whether that be through illicit control, read or write, or upload capabilities.

It’s not known how many affected devices are currently in use around the world, but according to CyberMDX, it could be in the hundreds of thousands.

Alongside CISA and GE, CyberMDX has been working since September 2019 on the vulnerabilities, culminating in a coordinated disclosure, and although GE has not yet made any patches available, Luz said: “The speed, responsiveness and seriousness with which GE treated this matter is very encouraging. “At the same time, there remains work to be done and we are eager to see GE issue security patches for these vital devices,” he added.

According to CISA, no known cyber attacks have yet taken place as a result of the vulnerabilities, nevertheless, until patches are available, the agency and GE have made a number of recommendations.

These include properly isolating the mission critical and/or information exchange networks on which the devices reside, which would mean an attacker would need physical access to the equipment, reconfiguring routers and firewalls to block traffic initiated from outside the network, restricting physical access to affected stations, servers and networks, changing default passwords for Webmin, and subsequently following password management best practice.

Synopsys senior security strategist Jonathan Knudsen said: “In healthcare, vulnerabilities in software can expose devices and systems to attack or misuse, which ultimately could have adverse effects on patient health. Reducing risk is a matter of finding and fixing vulnerabilities. The researchers did the right thing by discreetly notifying the manufacturer, allowing time for a coordinated disclosure to the public. 

“While security research is an important component of improving the overall state of the industry, it’s not the most efficient way to keep risk low while building products,” he said. “The best way to stamp out vulnerabilities is to find them as soon as possible by using a secure development life cycle (SDLC). At every stage of product development, vulnerabilities are identified and eradicated.

“Security is a part of every phase of the SDLC. The resulting software products are safer, more secure and more robust, which means they present lower risk for the builder and its customers. A proactive approach to software security results in lower risk and lower costs in the long run.”