GE HealthCare, a prominent healthcare technology company, recently faced scrutiny after security researchers uncovered nearly a dozen vulnerabilities in certain ultrasound products. These vulnerabilities, if exploited by malicious actors with physical access to the devices, could result in the implantation of ransomware or unauthorized access to and manipulation of patient data stored on the affected devices.
The findings were detailed in a report published by Nozomi Networks, a cybersecurity firm, which highlighted 11 vulnerabilities affecting various ultrasound systems and software from GE HealthCare. The vulnerabilities were assigned CVSS v3.1 base scores, with the most severe being a 9.6 rating for a vulnerability related to the use of hard-coded credentials.
According to Nozomi Networks, these vulnerabilities could potentially be exploited for ransomware attacks or to gain access to sensitive patient data. This poses a significant risk to both the security of patient information and the integrity of medical procedures conducted using these ultrasound devices.
GE HealthCare responded to the report by issuing security bulletins and emphasizing that existing mitigations and controls are in place to reduce the risks posed by these vulnerabilities to acceptable levels. The company downplayed the severity of the findings and highlighted the measures it has taken to address the issues raised by Nozomi Networks.
Nevertheless, concerns remain among cybersecurity experts regarding the adequacy of GE HealthCare’s response to the vulnerabilities identified. Some experts argue that the responsibility for ensuring the security of medical devices should not solely rest on healthcare facilities but also on manufacturers like GE HealthCare. They believe that vendors should play a more proactive role in addressing and mitigating security risks in their products.
In a statement to Information Security Media Group, GE HealthCare reiterated that the safety and security of its devices are top priorities for the company. The company acknowledged the vulnerabilities identified in the ultrasound systems but maintained that no reports of exploitation or unauthorized access to data have been received.
The issues highlighted in the Nozomi Networks report reflect larger concerns about the security of legacy medical devices. Many older devices, including those manufactured by various companies, exhibit similar security flaws due to factors such as hardcoded passwords, lack of emphasis on security during development, and evolving cybersecurity threats.
Addressing these vulnerabilities requires a collaborative effort between manufacturers, healthcare facilities, and cybersecurity experts to identify and mitigate risks effectively. Enhancing visibility into device risks, implementing appropriate security controls, and ensuring ongoing monitoring and updates are essential steps in safeguarding healthcare technology from potential security breaches.
As the healthcare industry continues to rely on advanced technology for patient care, addressing cybersecurity risks in medical devices remains a crucial priority to protect patient data, ensure the integrity of medical procedures, and maintain the trust of healthcare providers and patients alike.GE HealthCare, a major healthcare technology company, is taking measures to address security vulnerabilities found in certain ultrasound products following a report published by Nozomi Networks, which identified 11 vulnerabilities affecting various ultrasound systems and software from GE HealthCare. These vulnerabilities could potentially be exploited by malicious actors with physical access to the devices to implant ransomware or access and manipulate patient data stored on the affected devices.
In response to the report, GE HealthCare issued security bulletins downplaying the severity of the findings and emphasizing that existing mitigations and controls are in place to reduce the risks posed by these vulnerabilities to acceptable levels. However, concerns remain among cybersecurity experts about the adequacy of GE HealthCare’s response and the broader issue of security in legacy medical devices.
Maintaining the safety and security of medical devices is a shared responsibility that requires collaboration between manufacturers, healthcare facilities, and cybersecurity professionals. Enhancing visibility into device risks, implementing robust security controls, and staying vigilant against evolving threats are crucial steps in safeguarding healthcare technology and protecting patient data from potential breaches.