Summary: Nozomi Networks Labs discovered 11 vulnerabilities in GE HealthCare’s Vivid Ultrasound systems. These vulnerabilities could lead to ransomware attacks or manipulation of patient data. Physical access to the devices is required for exploitation. Patches and mitigations are available on the GE HealthCare Product Security Portal.
Key Takeaways:
- Vulnerabilities Identified: Nozomi Networks found 11 security vulnerabilities in GE HealthCare’s Vivid Ultrasound systems.
- Potential Threats: Exploiting these vulnerabilities could result in ransomware attacks or manipulation of patient data, impacting hospital workflows.
- Mitigations Available: GE HealthCare has provided patches and mitigations, and Nozomi’s threat intelligence feed offers detection strategies for these vulnerabilities.
Nozomi Networks Labs announced that it had discovered a total of 11 vulnerabilities affecting several systems and software from GE HealthCare’s Vivid Ultrasound family.
Researching Vulnerabilities
Nozomi conducted research on the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, along with the EchoPAC software to review the generated medical data. A detailed analysis of these vulnerabilities are available on Nozomi’s blog.
The company says that if used, the vulnerabilities could enable several dangerous scenarios, from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices.
Threats to Data Security
All of these scenarios could have repercussions to the hospital workflow or to the security of the medical data being processed. However, in order for a hacker to perform these steps, physical interaction with the device is required because the attacker needs to operate with the embedded keyboard and trackpad.
There are already patches and mitigations for the identified vulnerabilities in the GE HealthCare Product Security Portal. Nozomi’s threat Intelligence feed has been updated to provide customers with both detection strategies for the exploitation of the issues and the identification of affected components.