GE Healthcare warns of cybersecurity risks in ultrasound devices, software

Dive Brief:

  • GE Healthcare said Tuesday some of its ultrasound devices have vulnerabilities that malicious actors with physical access to the products could exploit.
  • Nozomi Networks Labs, a cybersecurity group that discovered the vulnerabilities, said the flaws could allow someone to put ransomware on an ultrasound machine or manipulate patient data.
  • GE Healthcare said in cybersecurity notices that existing mitigations and controls “reduce the risk as far as possible” and it would be “immediately obvious” if a malicious actor rendered an ultrasound device unusable.

Dive Insight:

GE Healthcare disclosed the vulnerabilities on its product security portal. The company outlined the vulnerabilities, the risks and recommendations for users of the products in two new posts and an update to an entry from 2020. The notices cover products including the Vivid line of ultrasound devices.

Nozomi provided more information in a blog post, which was also posted on Tuesday. The cybersecurity group described 11 vulnerabilities that affect several GE Healthcare systems and software programs. Researchers found the flaws as part of an investigation into ultrasound devices used in cardiovascular care.

The Vivid T9 ultrasound device analyzed by Nozomi features a desktop PC that runs a customized version of Microsoft Windows 10. The interface largely restricts users from accessing the operating system. Vivid T9 comes with an accessory management web application and a clinical software package. Nozomi found vulnerabilities in the system that could be exploited to gain administrative privileges. 

After obtaining full privileges, the cybersecurity researchers were able to make the device’s screen show an image requesting a ransom.

Nozomi also found nothing can stop an attacker with full privileges from “accessing and even manipulating all patient data” stored on the device. The researchers outlined what could happen if a primary healthcare facility in a major city was the victim of an attack via Vivid T9. 

“The inability to access or use the devices due to ransomware could delay critical medical procedures, hinder accurate diagnoses and impede timely treatment,” Nozomi said. “Patient confidentiality, a cornerstone of healthcare ethics, could be compromised, leading to potential breaches of privacy and legal implications for the hospital.”

Nozomi wrote that GE Healthcare confirmed its “trained medical staff has executed medical safety risk assessment following regulatory expectations.”

The cyber firm recommended never leaving ultrasound devices unattended and blocking incoming connections to workstations that have the clinical software installed and are connected to unprotected networks.