Thursday, May 23, 2024

GE Medical Ultrasound imager critical security vulnerabilites

"Vulnerabilities" meaning plural: remote code execution, ransomware danger, other cool stuff.  

The good news: you need physical access to the device (supposedly; of course these would *never* be put on the network ...).  The bad news: it's unlikely in the extreme that these devices will ever get patched.

If only someone had been warning them of this problem ...


danielbarger said...

Virtually ALL Ultrasound machines are connected to a network. That's because for the past two decades the vast majority of Medical Imaging exams are stored on a PACS network. A separate computer server/system. While there is little reason for hackers to focus on medical imaging systems because there isn't a lot of profit in doing so it's a possibility. As a medical imaging specialist for 47 years with 12 of those years spent as a PACS system administrator I can tell you first hand that network security in the hospital setting usually takes a back seat to convenience and user friendly configuration. A user friendly system is not very secure. A very secure system is not user friendly. Just the nature of things. Most of the information healthcare systems have stored is of minimal use to hackers. The majority of the time it's simply held hostage as part of a ransomware attack. The hackers can't use the info but the organization they target can't function well without access to it. So hey demand money to release it. This is where scrupulous back ups of data becomes important.

Old NFO said...

Daniel beat me to it. Sigh

ASM826 said...

Every medical device goes through an evaluation and is signed off on by the FDA. This can be a time consuming and expensive process. Achieving that approval is a milestone to bring your device to market. If that device is using an operating system, the operating system and the release of that operating system are an integral part of the approved product.

No matter what upgrades to the operating system might be released, what security patches might come out, they cannot be installed on the approved device. The manufacturers warn the clinics and hospitals that the approval on the device is voided if anyone upgrades the O/S. This would put the hospital, clinics, and doctors in legal jeopardy.

For example, in the mid 2000s, a major system I supported, used in patient treatment and housing identifiable patient data, was running an early unpatched version of Windows NT. And we could not patch it.

Our solution was to sandbox it. We put it behind a hardware firewall. Readdressed everything. Individually ruled in every MAC address. It was as secure as we could make it. Every access attempt was logged, every user and device tracked. All traffic was encrypted. We had zero trust.

I always expected the FDA to wake to the risk this policy created, but if they have done so, I am not aware of it. Here's an article from 2020 that states that 83% of medical devices are running outdated software, including 27% that are still running on Windows XP.

danielbarger said...

Not much money to be made updating the OS of a system that cost a quarter million or more. The goal is to sell a newer system or failing that selling a "software upgrade package". With third party equipment manufacturers all that matters is generating a bill. And with healthcare CFOs money spent on cyber security doesn't generate cash flow so it's not considered important. Not until something goes wrong.

commoncents said...

"It's about hope and unity" - Trump at Bronx rally: Resident says atmosphere was electrifying - VIDEO

ps. could you pls add CC to your blogroll? thanks!