Her research team CyberMDX, a company specializing in safety of health care organizations, revealed the existence six vulnerabilities called Mdhex and affecting seven Appliances by GE Healthcare monitoring the condition of patients.
These devices are placed near the patient's beds, collecting medical supplies data and send them to one server. The server is monitored by doctors and nursing staff. According to CyberMDX researchers, Vulnerable GE Healthcare devices are:
- Central Information Center (CIC), versions 4.x and 5.x
- CARESCAPE Central Station (CSCS), versions 1.x and 2.x
- CARESCAPE Telemetry Server, versions 4.3, 4.2 and above
- Apex Pro Telemetry Server / Tower, versions 4.2 and above
- B450 patient monitor, version 2.x
- B650 patient monitor, versions 1.x and 2.x
- B850 patient monitor, versions 1.x and 2.x
In addition to CyberMDX's disclosure, the Department of Homeland Security has published tips aimed at alerting healthcare organizations to MDhex vulnerabilities.
The patches will be ready by 2ο quarter of 2020
There are currently no security updates available. A GE Healthcare spokesman said the company plans to release one patch in the second quarter of 2020.
According to researchers of CyberMDX, the vulnerabilities are too serious.
However, a GE Healthcare spokesman said the situation is serious but not as tragic as it appears.
The company also said that if healthcare organizations properly set up devices and place them on isolated networks, the risk is even lower.
Hospitals have been updated since last year
GE Healthcare is aware of these errors from last year, although the revelation was made today. All this time the company has been trying to reduce the risk informing hospitals to receive meters security.
“GE Healthcare has started sending letters to customers around the world on November 12, 2019, to remind them of the need to properly configure patient monitoring networks, ”said a GE spokesman.
“We advise our clients to ensure that their networks are properly configured and isolated to protect against these potential attacks and mitigate the risk. ”
GE Healthcare has also announced that it plans to publish this warning on its web portal to become widely known.
There is no indication that these vulnerabilities have been used by hackers.
In addition to the MDhex vulnerabilities, GE Healthcare also encountered other security issues last year. CyberMDX has found vulnerabilities in several of its anesthesia machines company.