Researchers Say Dozens of GE Medical Devices Could Expose Patient Data

The vulnerable devices are used for CT scans, MRIs, mammograms, ultrasounds and positron emission tomography.

Researchers Say Dozens of GE Medical Devices Could Expose Patient Data

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to hospitals and other healthcare facilities on Tuesday about dozens of GE Healthcare imaging and ultrasound products. According to CISA, an authentication flaw in them poses a serious risk to protected health information.

“A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI,” the warning said.

The flaw was discovered by CyberMDX. According to, more than 100 of GE’s devices have hardcoded default passwords that aren’t easy to change. The devices are used for CT scans, MRIs, mammograms, ultrasounds and positron emission tomography, reports They use default passwords to receive regular maintenance, and the passwords are on the Internet.

Cyber MDX says attackers only need to be on the same network to exploit a vulnerable device. Attackers can get on a network by tricking authorized users into opening an email with malware, reports Tech Crunch.

Although the default passwords can be changed, they must be changed by a GE engineer who is onsite.

“The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score,” said an advisory from Cyber MDX. “Immediately upon discovering the flaw in May 2020, CyberMDX has contacted GE Healthcare to report the issue and both organizations are working together to resolve it.”

The list of affected products can be found here. 

CISA says that GE has identified mitigations for specific products and releases and “will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible. GE recommends users refer to the GE Healthcare Product Security Portal for more details on mitigations and how proactive actions may apply to affected devices.”

GE also recommends the following leading practices:

  • Ensure proper segmentation of the local hospital/clinical network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for TELNET, FTP, REXEC, and SSH
  • Utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital/clinical network.

CISA also reminded organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author

robin hattersley headshot

Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ