Feds Alert to Critical Vulnerabilities in GE Patient Monitoring Products
Both FDA and DHS CISA are urging healthcare organizations to remediate risks associated with six critical and high severity vulnerabilities found in certain GE patient products.
By - Critical vulnerabilities found in certain GE patient monitoring, servers, and telemetry systems could allow a remote hacker to alter the function of the device, steal patient data, or interfere with device function, according to alerts from the Food and Drug Administration and the Department of Homeland Security Cybersecurity Infrastructure Security Agency.
The vulnerabilities were found by CyberMDX Researcher Elad Luz in GE CARESCAPE Telemetry Server, Central Station, and B450, B650, B850 monitors, as well as the ApexPro Telemetry Server and Clinical Information Center. In total, Luz found five critical flaws and one ranked high severity.
“These vulnerabilities might allow an attack to happen undetected and without user interaction,” FDA officials warned. “Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures.”
One vulnerability allows for the unprotected storage of credentials, which could allow an attacker to obtain SSH private keys in configuration files. The affected products also leverage hard coded SMB credentials that could allow a hacker to remotely access arbitrary code.
The researcher also found a missing authentication for the critical function of the integrated service for the keyboard switching in the impacted devices, which could allow remote keyboard input access without network authentication.
Another flaw was found in the software update mechanism that could allow unrestricted arbitrary file uploads on the system through a crafted update package.
Lastly, the affect platforms use a weak encryption scheme for its remote desktop control, which could allow a hacker to access remote code execution of the devices on the network.
“Successful exploitation of these vulnerabilities could occur when an attacker gains access to the mission critical and/or information exchange networks due to improper configuration or physical access to devices,” according to the CISA alert.
“An exploit could result in a loss of monitoring and/or loss of alarms during active patient monitoring,” it continues. “These vulnerabilities, if exploited, may allow an attacker to obtain PHI data [and] make changes at the operating system level of the device.”
As a result, an exploited device could be rendered unusable or interfere with the device function, as well as allow an attacker to change alarm settings on connected patient monitors and or use the services for remote viewing and control devices on the “network to access the clinical user interface and make changes to device settings and alarm limits.”
The attacks could lead to a missed, silenced, or unnecessary alarms.
GE is urging its healthcare clients to ensure the proper configuration of mission critical or data sharing networks to meet the requirements of its patient monitoring network configuration guide to isolate and configure the devices.
“A properly isolated network requires an attacker to gain physical access in order to carry out an exploit,” GE officials wrote. “The mission control and information exchange networks are isolated and if connectivity is needed outside [those] Networks, a Router/Firewall is used to allow only the necessary data flows and block all other data flows.”
IT and or security leaders should also ensure those network are set up to block all incoming traffic initiated from outside of the network, with exceptions for required clinical data flows.
GE stressed these ports should always be blocked for all incoming traffic initiated outside of the network: “TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS, and SMB, as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.”
Organizations should also restrict physical access to the impacted products and those networks, while ensuring the default passwords for the Webmin have been changed as recommended. Leaders should also be following password management best practices.
Currently, GE is unaware of any “reported incidences of a cyberattack in a clinical use or any reported injuries associated with any of these vulnerabilities.” The vendor is also developing software updates and patches with improved security features.
“In accordance with GE’s continual cybersecurity hygiene process, users can access GE’s security website to receive the most up-to-date information and subscribe to receive notifications when new updates/patches are available,” officials wrote.
CISA recommends healthcare organizations “take defensive measures to minimize the risk of exploitation of these vulnerabilities,” including location medical system networks and remote devices behind firewalls and isolating them from the network.
Only if connectivity is required outside of the mission control or information exchange network should a “firewall or router be used with very strict rules allowing only very explicit network flows.”
“Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA,” CISA officials wrote. “CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”
