Security News > 2020 > January > MDhex vulnerabilities open GE Healthcare patient monitoring devices to attackers

MDhex vulnerabilities open GE Healthcare patient monitoring devices to attackers
2020-01-24 13:09

Researchers have discovered six critical and high-risk vulnerabilities - collectively dubbed MDhex - affecting a number of patient monitoring devices manufactured by GE Healthcare.

The flaws may, according to GE Healthcare, allow an attacker to make changes at the device's OS level that may render the device unusable or interfere with its function, make changes to alarm settings on connected patient monitors, and utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could lead to missed, unnecessary, or silenced alarms.

"Properly configured MC and IX networks greatly reduce but do not eliminate the ability to gain access to the networks. As a result, if the networks are properly isolated, for this issue to occur, the unauthorized person would need to gain physical access to the listed monitoring devices themselves individually or acquire direct access to the isolated MC or IX networks on-site at the hospital," the company noted.

"Finding vulnerabilities in medical devices is like hitting snooze on your alarm in the morning. This isn't your drop-dead to get out of bed and it's not a breach, but it's your warning that attackers, who are sometimes closer on our tail than we'd like to admit, have a new pathway in," commented Nadir Izrael, CTO and co-founder of Armis.

"Medical data and patient data is valuable, as is the life giving operation of the medical devices themselves, and it's what attackers are looking to steal or disrupt. It's why I've seen MRI machines talking to servers in Russia, a medical crash cart being used to access Facebook or phishing websites, and even an infusion pump infected by malware that was still connected to a patient. MDHex is a reminder that trust in the security of patient care devices can't be given implicitly any more. Hospitals need to know that many medical devices are inherently insecure, built without security in mind and without an agent, and extremely difficult to patch, if at all."


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ppRjNs3YklQ/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
GE 164 5 45 37 34 121