Cybersecurity experts on Tuesday warned of potential vulnerabilities in GE Healthcare systems that could potentially expose protected health information. The imaging giant, meanwhile, has stressed that the concern has had zero impact on patient safety.
New York-based CyberMDX first discovered the issue, noting that it affects more than 100 devices, including CT, ultrasound, x-ray and MR imaging systems. Experts scored the threat at a 9.8 out of 10, denoting “maximum severity.”
“Successfully exploiting the vulnerability may expose sensitive data—such as [protected health information]—or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI,” CyberMDX said in an update. “The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score.”
These devices reportedly receive regular maintenance by entering a default password that’s available on the web for those who know where to look. Without proper restrictions, hackers may be able to exploit these vulnerabilities, accessing imaging systems to possibly execute malicious code or view patient data, Ars Technica reported.
CyberMDX said it alerted GE of the issue in May. The Cybersecurity and Infrastructure Security Agency is also on the case and advising radiology providers on steps they can take to prevent future attacks.
In a statement, GE Healthcare said it is unaware of any unauthorized access to patient data during clinical scenarios. The company is providing on-site assistance to its customers and urging them to follow network management and security best practices.
“We have conducted a full risk assessment and concluded that there is no patient safety concern,” GE said in its statement. “Maintaining the safety, quality, and security of our devices is our highest priority.”