Dozens of medical imaging devices built by General Electric are secured with hardcoded default passwords that can’t be easily changed, but could be exploited to access sensitive patient scans, according to new findings by security firm CyberMDX.
The researchers said that an attacker would only need to be on the same network to exploit a vulnerable device, such as by tricking an employee into opening an email with malware. From there, the attacker could use those unchanged hardcoded passwords to obtain whatever patient data was left on the device or disrupt the device from operating properly.
CyberMDX said X-ray machines, CT and MRI scanners, and ultrasound and mammography devices are among the affected devices.
GE uses hardcoded passwords to remotely maintain the devices. But Elad Luz, head of research at CyberMDX, said some customers were not aware that their devices had vulnerable devices. Luz described the passwords as “hardcoded,” because although they can be changed, customers have to rely on a GE engineer to change the passwords on-site.
The vulnerability has also prompted an alert by Homeland Security’s cybersecurity advisory unit, CISA. Customers of affected devices should contact GE to change the passwords.
Hannah Huntly, a spokesperson for GE Healthcare, said in a statement: “We are not aware of any incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”
It’s the latest find by the New York-based healthcare cybersecurity startup. Last year the startup also reported vulnerabilities in other GE equipment, which the company later admitted could have led to patient injury after initially clearing the device for use.
CyberMDX, which works primarily to secure medical devices and improve hospital network security through its cyber intelligence platform while conducting security research on the side, raised $20 million earlier this year, just a month into the COVID-19 pandemic.