Tele: 561.316.3330
Breaking Medical Device News

Monday, September 20, 2021

MEDICAL DEVICE NEWS MAGAZINE

A DIGITAL PUBLICATION FOR THE PRACTICING MEDICAL SPECIALIST, INDUSTRY EXECUTIVE AND INVESTOR
HomeCyberMDXCyberMDX Research Team Discovers Collection of GE Medical Device Vulnerabilities: "MDhex"

CyberMDX Research Team Discovers Collection of GE Medical Device Vulnerabilities: “MDhex”

A collection of six cybersecurity vulnerabilities has been discovered in a range of GE Healthcare devices popular in hospitals, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed today. The vulnerabilities, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to make changes at the software level of the device, with possible ramifications including rendering the device unusable, interfering with device functionality, certain changes to alarm settings, and exposure of PHI.

The CyberMDX research team found these vulnerabilities — collectively referred to as “MDhex” — while investigating the use of deprecated Webmin versions and potentially problematic open port configurations in GE’s CARESCAPE CIC Pro workstation. The investigation ultimately turned up six different design flaws all constituting high-severity security vulnerabilities present in GE CARESCAPE Patient Monitors, ApexPro, and Clinical Information Center (CIC) systems. Five of the vulnerabilities were given CVSS (v3.1) values of 10, while the remaining vulnerability scored an 8.5 on the National Infrastructure Advisory Council’s (NIAC) 1-10 scale for assessing the severity of computer system vulnerabilities.

Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe. Affected products include certain versions of the CARESCAPE Central Information Center (CIC), Apex Telemetry Server/Tower, Central Station (CSCS), Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.

This bundle of six vulnerabilities was first reported on September 18, 2019. In the ensuing months, CyberMDX, GE, and CISA collaborated to confirm the vulnerabilities, audit their technical details, evaluate the associated risk, and work through the responsible disclosure process. Today, those efforts culminated in CISA’s release of an official advisory — ICSMA-120-023-01.

CyberMDX Head of Research, Elad Luz, commented, “Our goal is to bring these issues to the attention of healthcare providers so that they can be quickly addressed — contributing to safer, more secure hospitals. As such, every disclosure is another step in the right direction. The speed, responsiveness, and seriousness with which GE treated this matter is very encouraging. At the same time, there remains work to be done and we are eager to see GE issue security patches for these vital devices.”

Each of the six vulnerabilities are predicated on a different aspect of the devices’ design and configuration. For instance, one of the vulnerabilities concerns exposed private keys enabling SSH abuses, while another enables rogue SMB connections as a result of credentials hard-coded in Windows XP Embedded (XPe) operating system. The common element across the MDhex vulnerabilities — beyond the devices they affect and their shared point of discovery — is that they all present a direct path to the device’s compromise; whether by way of illicit control, read, write, or upload capabilities. If exploited, this vulnerability could directly impact the confidentiality, integrity, and availability of devices.

The discovery of these vulnerabilities is the latest in a fast-growing list of examples highlighting the need for all medical device stakeholders to redouble their vigilance in protecting patient safety — improving the security and resiliency of medical devices, both pre-market and post-market.

More information on the vulnerability can be found here.

Medical Device News Magazinehttps://infomeddnews.com
Medical Device News Magazine is a division of PTM Healthcare Marketing, Inc. Pauline T. Mayer is the managing editor.

Stay Connected

spot_img

Don't Miss

Mark Foster Joins Xenocor BOD

Foster is a versatile and visionary C-Suite executive who brings 20 years of general management and leadership experience from both venture-backed growth-stage organizations and world-class medical device companies

Hinge Health Acquires the Most Advanced Computer Vision Technology for Tracking Human Motion

CEO Daniel Perez explained, “We won’t stop investing in technology to deliver the most patient-centered digital clinic that improves member experience and outcomes while reducing costs. wrnch allows us to take a giant leap forward in all respects.”

Dale W Wood Congratulates the Huma Team on Raising $130 Million

Major health and technology companies across the world have committed upwards of $130 million to Huma Therapeutics, the health-tech company backed by Dale Ventures.

Rhaeos Awarded $4 Million NIH SBIR Grant

Under the NIH SBIR grant, Rhaeos will leverage their existing wireless sensor hardware to provide additional quantitative flow data to the clinician, giving insight into this currently inaccessible and highly relevant shunt performance metric.

Gynesonics Announces FDA Clearance of Next Generation Sonata System

“This clearance brings significant system improvements that expand the location of fibroids that can be treated while allowing the physician to control all aspects of the treatment from within the sterile field,” said Jiayu Chen, Ph.D. Vice President, Engineering and Advanced Technologies at Gynesonics.

Blackrock Neurotech Invests In Groundbreaking Auditory Nerve Implant With University Of Minnesota And MED-EL

The new investment will enable the development and translation of a new ANI through preclinical studies and later, a pilot clinical trial, where the ANI is then implanted in up to three deaf patients.

Jonathan Chapman: New President/CEO of Trividia Health

Chapman said, “I’m honored to join the Trividia team as President and CEO. This organization has a long history of leadership within the healthcare industry as a provider of accurate, accessible, and affordable point-of-care solutions for the management of diabetes.”

SOLOPASS® System (Bedside Neuro-Navigation Device) Receives FDA 510(k) Clearance

inTRAvent’s SOLOPASS® system brings simple, portable, bedside neuro-navigation into the intensive care unit.

By using this website you agree to accept Medical Device News Magazine Privacy Policy