A warning about vulnerabilities in GE medical equipment has been issued by the Cybersecurity & Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security. The vulnerabilities are collectively rated as a CVSS v3 10.00 and affect GE CARESCAPE, ApexPro, and Clinical Information Center systems. The vulnerabilities are easily exploitable by a threat actor with little skill, or alternatively, someone who is attacking remotely.
CISA explains the group of vulnerabilities (CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, CVE-2020-6966), and what happens when exploited, in detail in the following report excerpt:
Successful exploitation of these vulnerabilities could occur when an attacker gains access to the mission critical (MC) and/or information exchange (IX) networks due to improper configuration or physical access to devices. An exploit could result in a loss of monitoring and/or loss of alarms during active patient monitoring.
These vulnerabilities, if exploited, may allow an attacker to obtain PHI data, make changes at the operating system level of the device, with effects such as rendering the device unusable, otherwise interfering with the function of the device and/or making certain changes to alarm settings on connected patient monitors, and/or utilizing services used for remote viewing and control of devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.
CISA was notified of the GE medical equipment vulnerabilities via Elad Luz of CyberMDX. Even though CISA is based in the United States, the systems affected by these vulnerabilities are deployed worldwide. Further compounding the issue is the fact that GE, at the time of this articles’ writing, has not yet developed patches for the aforementioned vulnerabilities. For the time being, GE recommends on its official website to take specific steps to mitigate the risk for exploitation. If the systems are isolated so as to prevent remote attacks and separated from other hospital networks, the chance for exploitation is lessened.
GE acknowledges that this is a temporary, and not airtight, solution. Until patches, which GE is currently working on, are released, ultimately this is all medical care providers can do at this time. Attacks against hospitals are on the rise, and as such, defensive measures must be employed especially in cases like this.
Featured image: Shutterstock