Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software

Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software
The Vivid T9 ultrasound system

What You Should Know: 

– Security researchers at Nozomi Networks Labs have identified a total of 11 vulnerabilities affecting GE HealthCare’s Vivid family of ultrasound machines, the accompanying Common Service Desktop web application, and EchoPAC PC software. 

– These vulnerabilities could be exploited by attackers to disrupt critical medical procedures, compromise patient data privacy, and hinder accurate diagnoses.

Vulnerable Devices and Potential Impacts

  • Vivid T9 Ultrasound System: An attacker with physical access to the device could potentially deploy ransomware, effectively locking healthcare providers out of the system and delaying critical procedures.
  • Common Service Desktop Web Application: Abusing vulnerabilities in this application could grant attackers access to the entire ultrasound system.
  • EchoPAC PC Software: Attackers on the same network as a vulnerable EchoPAC installation could potentially steal or manipulate patient data stored on the software.

Technical Details and Attack Scenarios

The researchers detail various attack scenarios that exploit these vulnerabilities. One concerning scenario involves a two-phase attack on the Vivid T9 system:

  1. Gaining Local Access: Abusing a vulnerability in the Common Service Desktop application allows an attacker to bypass security restrictions and gain local access to the ultrasound machine.
  2. Executing Code and Deploying Ransomware: Another vulnerability in Common Service Desktop allows attackers to execute code with full administrative privileges. This could be used to deploy ransomware, disrupting critical medical procedures.

Ransomware is just one potential consequence. Stolen patient data could be misused or sold on the dark web, posing a significant risk to individuals’ privacy.

Risk Management and Recommendations

GE HealthCare has confirmed that their medical staff has conducted a safety risk assessment and concluded the associated safety risk is controlled. However, the researchers highlight the increasing frequency and complexity of ransomware attacks against healthcare providers.

Recommendations for healthcare providers include:

  • Patching Systems: Refer to the GE HealthCare Product Security Portal for official patches and mitigations.
  • Physical Security: Never leave ultrasound devices unattended, even for a short period.
  • Network Segmentation: Implement proper network segmentation to limit communication between devices and the broader network.
  • Firewall Rules: For workstations with EchoPAC installed, implement firewall rules to block unnecessary network traffic.