A new set of vulnerabilities affecting medical devices has been highlighted by CISA over in the US, and these are truly worrying security flaws because of the severity of them, and the potential havoc which could be wreaked – albeit there are no known exploits as yet.
CISA is the Cybersecurity and Infrastructure Security Agency (of the Department of Homeland Security), and it has officially issued an alert about the vulnerabilities which are collectively known as ‘MDhex’.
- Growing threat to medical devices will drive cybersecurity market
- Best medical alert smartwatches
- Best medical transcription services of 2020
Spotted by Cyberscoop, the problems pertain to GE Healthcare devices including Carescape patient monitors (B450, B650, B850 models), meaning the devices next to the patient’s bed which monitor all kinds of vital signs and other data.
The vulnerabilities mean that patient data could be potentially at risk, and more besides, as CyberMDX, the security firm which discovered the flaws, points out: “Most of the affected equipment can set the patient monitor’s alarm limits, admit or discharge patients, [and] set date and time.”
CISA separately noted that an exploit could potentially result in the monitor’s alarms being turned off, potentially leaving the patient in serious danger, or a loss of monitoring functionality full-stop.
While the security flaws have not yet been publicly exploited, as we mentioned at the outset, the worrying part is that CISA observes that they only require a (relatively) low level of skill to exploit, and the vulnerabilities are remotely exploitable.
GE Healthcare noted, however, that the level of vulnerability and risk of exploitation is higher if the network which the devices are on happens to be improperly configured.
GE Healthcare has already issued a statement to say: “We are instructing the facilities where these devices are located to follow network management best practices and are developing a software patch with additional security enhancements.
“We are not aware of any incidents where these vulnerabilities have been exploited in a clinical situation.”
So hopefully, that patch won’t be too long in the works. Further advice from GE Healthcare regarding applying network management best practices can be found here.
As well as the patient monitors, other GE Healthcare systems affected include the firm’s Clinical Information Center, Carescape Central Station, along with Carescape and ApexPro Telemetry Server hardware.
This isn’t the first time we’ve heard about a set of collective vulnerabilities which have hit medical equipment in recent times. Cast your mind back to October 2019, and you may recall the raft of network protocol bugs dubbed Urgent/11, which affected various healthcare devices and much more besides (for example, security cameras and routers).
Having a computer hacked is bad news, but the compromise of devices like a patient monitor or infusion pump is obviously a far more worrying prospect.
Last year, GE Healthcare anaesthesia devices were also found to have a remotely exploitable vulnerability, a discovery again made by CyberMDX.