Welcome to GE HealthCare's Product Security Portal - a secure, web-based global portal providing credentialed customers a centralized repository to access security updates, the status and required action for GE HealthCare products potentially impacted by critical vulnerabilities, and historical patch product view for released non-critical patches.

 

GE HealthCare's Cybersecurity Risk Management System
Cybersecurity is embedded within the GE HealthCare culture, and we are committed to protecting our business and customers. 

For information on reporting discovered vulnerabilities in GE HealthCare products, view the GE HealthCare Coordinated Vulnerability Disclosure Statement.

GE HealthCare is aware of a vulnerability in versions of the Apache Tomcat software. The vulnerability disclosure describes that a malicious actor could exploit the vulnerability to gain access to a system running a vulnerable version of this software.

 

Specific details are available via the links in the references section of the NVD listing:

 

https://nvd.nist.gov/vuln/detail/CVE-2025-24813

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. GE HealthCare customers can view more details and receive updates through our GE HealthCare Product Security Portal https://www.gehealthcare.com/productsecurity/products#security-notices-tab.

GE HealthCare is aware of a vulnerability in versions of the software “Mirth Connect” from 3rd party NextGen, which was disclosed in October 2023. On May 20, 2024, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog. The disclosure describes that a malicious actor could exploit the vulnerability to gain access to a system running a vulnerable version of this software, and/or compromise sensitive healthcare data. 

 

Specific details are available via the links in the references section of the NVD listing:

 

https://nvd.nist.gov/vuln/detail/CVE-2023-43208

 

GE HealthCare conducted a thorough investigation and concluded that only a very limited number of GE HealthCare products are potentially impacted by this vulnerability. There have been no customer complaints of malicious exploits against GE HealthCare products via Mirth Connect.

 

GE HealthCare customers can view more details and receive updates through our GE HealthCare Product Security Portal https://securityupdate.gehealthcare.com/.

 

GE HealthCare actively participated in a Coordinated Security Vulnerability Disclosure, describing how EchoPAC Software Only (SWO), EchoPAC TurnKey, and ImageVault products are vulnerable to unencrypted communication, unencrypted database and hardcoded, unencrypted credentials, allowing malicious actors to reach the operating system on these devices if allowed physical access to the device or access to the hospital network. GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible, therefore the residual risk associated with this vulnerability is acceptable.

 

For EchoPAC Software Only (SWO) the vulnerabilities are exploitable only when installed with the EchoPAC Share feature. EchoPAC Software Only (SWO) installed without EchoPAC Share is not impacted.

 

EchoPAC Plug-in and GE HealthCare ultrasound scanners are not impacted by these vulnerabilities.

 

GE HealthCare and Andrea Palanca and Gabriele Quagliarella of Nozomi Networks have interacted throughout the disclosure process.

Risk Analysis: GE HealthCare conducted a thorough investigation and determined that, in the unlikely event a malicious actor gains access to the hospital network or the device, they could gain access to patient information and/or render the system unusable, which would be immediately obvious to the intended user.  GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible, therefore the residual risk associated with this vulnerability is acceptable.

Security Recommendations: GE HealthCare recommends that organizations adopt security and cybersecurity best practices, including securing the network where EchoPAC is connected, and restricting the physical access to devices by unauthorized individuals.

 

If EchoPAC share is installed and not used it’s recommended to uninstall EchoPAC and then install again without selecting the “Share” option when installing.

 

It is recommended to use DICOM/TLS communication instead of EchoPAC Share (“remote archive”) for customers where that is an option.

 

Users of our legacy products ImageVault and EchoPAC Turnkey should consider migrating to newer products in the portfolio.

 

If you have any questions, please reach out to your local GE HealthCare Service Representative.

GE HealthCare actively participated in a Coordinated Security Vulnerability Disclosure, describing how the Common Service Desktop (CSD) component used in ultrasound devices is vulnerable to command injection and path traversal, allowing malicious actors to reach the operating system on these devices if allowed physical access to the device. GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible, therefore the residual risk associated with this vulnerability is acceptable.

 

GE HealthCare and Andrea Palanca and Gabriele Quagliarella of Nozomi Networks have interacted throughout the disclosure process.

 

GE HealthCare has released the following vulnerability information:

Risk Analysis: GE HealthCare conducted a thorough investigation and determined that in the unlikely event a malicious actor with physical access rendered the device unusable, there would be clear indicators of this to the intended user of the device. The vulnerability can only be exploited by someone with direct, physical access to the device.  GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible, therefore the residual risk associated with this vulnerability is acceptable.

Security Recommendations: GE HealthCare recommends that organizations adopt security and cybersecurity best practices, including restriction of physical access to devices by unauthorized individuals.

 

If you have any questions, please reach out to your local GE HealthCare Service Representative. 

GE HealthCare actively participated in a Coordinated Security Vulnerability Disclosure, describing how ultrasound devices utilize a method of software application implementation called kiosk mode. This kiosk mode is vulnerable to local breakouts, allowing malicious actors to reach the operating system on these devices if allowed physical access to the device. GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible, therefore the residual risk associated with this vulnerability is acceptable.

 

GE HealthCare, Marc Ruef and Rocco Gagliardi of scip AG, Michael Aguilar of Secureworks, Jonathan Bouman of Protozoan.nl, Andrea Palanca and Gabriele Quagliarella of Nozomi Networks and DHS-CISA have interacted throughout the disclosure process.

 

CVE-2020-6977 has been assigned to the kiosk breakout vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The previous version of this advisory used a CVSS score of 6.8; the CVSS vector string was (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). For more information from DHS-CISA see: https://www.us-cert.gov/ics/advisories/icsma-20-049-02

 

CVE-2024-1486 has been assigned to an elevation of privileges via misconfigured access control list vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Risk Analysis: GE HealthCare conducted a thorough investigation and determined that in the unlikely event a malicious actor with physical access could render the device unusable, there would be clear indicators of this to the intended user of the device. The vulnerability can only be exploited by someone with direct, physical access to the device.  GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible, therefore the residual risk associated with this vulnerability is acceptable.

 

When GE HealthCare received information regarding a new kiosk breakout method and an elevation of privileges vulnerability, we conducted an additional investigation. Following this investigation, we updated the CVSS scoring (see above) and have released a new CVE. The list of impacted devices remains unchanged. We reviewed the safety risk associated with the vulnerability and it remains unchanged.

Security Recommendations: GE HealthCare recommends organizations restrict physical access to devices by unauthorized individuals.

 

If you have any questions, please reach out to your local GE HealthCare Service Representative.

GE HealthCare is aware of a vulnerability in two versions of the XZ Utils compression library was disclosed in March 2024. The XZ Utils library is included in Linux distributions. A malicious actor introduced changes in XZ Utils that would allow someone with the right private key to execute malware on a compromised system in a manner that would evade detection.

 

Specific details are available via the links in the references section of the NVD listing:

 

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

 

GE HealthCare has not identified any products that are impacted currently. We will continue to monitor this vulnerability and if there are any changes, we will notify customers through our GE HealthCare Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of a vulnerability named “Looney Tunables” that was disclosed on October 3rd, 2023.  This vulnerability impacts the GNU C Library in several Linux distributions. The vulnerability was introduced into the library in April 2021. An attacker with local access to the system who successfully exploits this vulnerability could gain root privileges on hosts. An attacker who successfully exploited the vulnerability could then run specially crafted applications on the device.

 

Specific details are available from the researcher: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so.

 

GE HealthCare reviewed this vulnerability and found no products using a version of Linux that is impacted by this vulnerability based on information currently available. We will continue to monitor this vulnerability and notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of vulnerabilities in several versions of the MOVEit Transfer web application that were disclosed in June 2023. These vulnerabilities have been leveraged by ransomware groups to steal data from several public and private organizations.

 

Specific details are available from the vendor via the following advisories:

 

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

 

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023

 

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

 

GE HealthCare has not identified any products that are impacted at this time. We will continue to monitor these vulnerabilities and if there are any changes, we will notify customers through our GE HealthCare Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of a report on September 29th, 2022, from researchers at Mandiant of malware that has been deployed in VMware ESXi hypervisor environments. The attackers used malicious vSphere Installation Bundles (VIBs) to install backdoors on the ESXi hypervisors. The details are available from Mandiant: https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

 

Specific details for hardening systems are available from the vendor: https://core.vmware.com/vsphere-esxi-mandiant-malware-persistence.

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. We will notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of a vulnerability named “Spring4Shell” that was disclosed on March 31st, 2022.  This vulnerability impacts Spring Framework 5.3.0 – 5.3.17, 5.2.0 – 5.2.19, and older, unsupported versions. An attacker who successfully exploits the vulnerability could run specially crafted applications on the device.

 

Specific details are available from the vendor: https://tanzu.vmware.com/security/cve-2022-22965.

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. We will notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of a vulnerability named “Dirty Pipe” that was disclosed on March 7th, 2022.  This vulnerability impacts the Linux kernel starting with version 5.8. An attacker with local access to the system who successfully exploits this vulnerability could gain root privileges on hosts. An attacker who successfully exploited the vulnerability could then run specially crafted applications on the device.

 

Specific details are available from the researcher: https://dirtypipe.cm4all.com/.

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. We will notify customers through this GE HealthCare Product Security Portal.

 

Updated Apr 12, 2022

GE HealthCare reviewed these vulnerabilities and found no products using a version of Linux that is impacted by this vulnerability based on information currently available. We will continue to monitor this vulnerability and provide updates through the GE HealthCare Security Portal

GE HealthCare is aware of vulnerabilities disclosed by CyberMDX, in collaboration with PTC and CISA on March 8th, 2022 (https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01).  These vulnerabilities impact PTC’s Axeda agent.

 

GE HealthCare has performed impact and risk assessments, indicating that only a very limited number of GE HealthCare products is potentially impacted by a subset of these vulnerabilities. GE HealthCare customers can view more details and receive updates on next steps through our Product Security Portal https://securityupdate.gehealthcare.com/.

 

Product security is a top priority for GE HealthCare, and we will continue to work with customers to provide safe and secure HealthCare.

GE HealthCare is aware of a vulnerability named “PwnKit” that was disclosed by Qualys on January 25th, 2022.  This vulnerability impacts the Polkit component in Unix-like operating systems; the Polkit component controls system-wide privileges in the OS’s. An attacker who successfully exploits this vulnerability could gain root privileges on hosts with a default Polkit configuration. An attacker who successfully exploited the vulnerability could then run specially crafted applications on the device.

 

Specific details are available from Qualys: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034.

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. We will notify customers through this GE HealthCare Product Security Portal.

GE HealthCare is aware of a vulnerability named “Log4Shell” that was disclosed by the Apache Software Federation on December 9th, 2021 (https://logging.apache.org/log4j/2.x/security.html).  This vulnerability impacts the Log4j logging library that is used widely in Java applications. An attacker who successfully exploits this vulnerability can run arbitrary code on a vulnerable server with system-level privileges.

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. We will notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/

Many GE HealthCare products are equipped with firewalls. Firewalls help defend critical systems by establishing another layer of protection between the network and the product.

 

GE HealthCare recommends the following guidance on firewall usage in medical devices.

 

Security Recommendations

• Medical devices that come with a firewall enabled as part of its configuration should not have its firewall disabled during clinical use.
• Limit network connectivity to necessary IP addresses and services.

 

Security Considerations

• A disabled firewall could result in unintended consequences (e.g. unavailability of the system).
• Properly configured firewalls will not adversely impact product performance.

 

Additional Suggestions

• Change default passwords in your system.
• Install and configure systems following the guidance in the product documentation.
• Follow user account management best practices.
• Keep systems up to date with the latest approved patches for all components.

 

If you have any questions or need guidance for securing your GE HealthCare system, please contact your local GE representative. GE HealthCare follows a continuous vulnerability management process to support risk assessment and remediation of applicable vulnerabilities. Approved third-party security patches for impacted products are detailed elsewhere on the GE HealthCare Product Security Portal.

 

Product security is a top priority for GE HealthCare, and we will continue to work with customers to provide safe and secure healthcare.

GE HealthCare is aware of a group of vulnerabilities named “NUCLEUS:13” that were disclosed by Forescout and Medigate researchers on November 9th, 2021 (https://us-cert.cisa.gov/ics/advisories/icsa-21-313-03). These vulnerabilities impact the Siemens Nucleus Real-time Operating System (RTOS).

 

Product assessments have been completed against the limited number of GE HealthCare product subcomponents utilizing the Nucleus RTOS. The product teams have evaluated the security design and mitigating controls. Given these design controls and mitigations in place GE HealthCare has determined these products are not impacted by these vulnerabilities.

 

GE HealthCare will continue to monitor the situation and will provide any necessary updates. We will notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of a vulnerability impacting the Blackberry QNX Real-time Operating System (RTOS).  The vulnerability is related to a memory management flaw in a function of the RTOS. Exploitation of the vulnerability requires external access to QNX.

 

Product assessments have been completed against the limited number of GE HealthCare product subcomponents utilizing the Blackberry QNX RTOS. The product teams have evaluated the security design and mitigating controls. Given these design controls and mitigations in place GE HealthCare has determined these products are not impacted by this vulnerability.

 

GE HealthCare will continue to monitor the situation and will provide any necessary updates. We will notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/.

GE HealthCare is aware of the vulnerability CVE-2021-34527, named “PrintNightmare”.   Information on the PrintNightmare vulnerability can be found here: https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. We will notify customers of updates through this GE HealthCare Product Security Portal.

Background

 

In October 2019, Greenbone Networks (a security research company in Germany) found hundreds of medical imaging servers (PACS) open to the Internet exposing sensitive patient information. The researcher was able to use freely available software or even a browser to view medical images and patient data from unsecured systems. We are aware of a repeat alert being sent out on this topic for added awareness and media reports of a growing number of PACS systems open to the Internet. Our recommendations below have not changed since the prior notifications.

 

Security Recommendations

 

Systems that are used for providing human medical care or contain any private/sensitive information should not be open in this manner. GE HealthCare recommends configuring PACS systems so that they are only accessible inside the network of the healthcare system. If access outside of the healthcare system network is required, then access should be controlled using a VPN and if possible limiting access to known Application Entity Title (AET) devices. It is also recommended to configure systems to use the highest level of Transport Layer Security (TLS) supported by the product mix in the healthcare system. To protect patient confidentiality, systems that are for educational purposes should have all data de-identified.

 

Additional Suggestions

• Change default passwords in your system
• Install and configure the PACS system following the guidance in the product documentation
• Follow user account management best practices
• HealthCare facilities running older versions of PACS should contact their GE account executive to discuss options
• Limit network connectivity to necessary IP addresses and services
• Keep systems up to date with the latest approved patches for all components

 

If you have any questions or need guidance for securing your GE HealthCare PACS system, please contact your local GE representative. GE HealthCare follows a vulnerability management process to support risk assessment and remediation of applicable vulnerabilities. Approved 3rd-party security patches for impacted products are detailed on the GE HealthCare Product Security Portal.

 

Product security is a top priority for GE HealthCare, and we will continue to work with customers to provide safe and secure healthcare.

Originally posted October 2, 2020 - Updated October 30, 2020: This has been updated to include more information regarding ransomware attacks. Please review below in its entirety.

 

On October 28^th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint cybersecurity advisory and warned of “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” This threat includes deployment of malware referred to as “Trickbot” which then deploys ransomware known as “Ryuk”.

 

What is Ransomware?

 

Ransomware is a type of malware that encrypts computer data/storage and then attempts to extort money from the victim in exchange for access to the data decryption key, notably with limited historical success of decryption.

 

What happens?

 

Infections typically begin with social engineering attacks - such as phishing - targeting employees: the employee receives a maliciously crafted email, opens the attachment or link and while doing so infects his/her device with malware. This malware allows the spread of ransomware on the organization's network, encrypts crucial files, deletes backup files and removes security applications. Unpatched security vulnerabilities may contribute to this spread.

 

We would like to take this opportunity to remind you that many vulnerabilities may be resolved by keeping your operating systems updated with the latest approved patches from your system providers.  GE HealthCare follows a vulnerability management process to support risk assessment and remediation of applicable vulnerabilities.  Approved 3rd-party security patches for impacted products are detailed on the GE HealthCare Product Security Portal. In many cases, these patches can be downloaded and installed by customers directly without service support, following instructions in the product documentation. Details are provided per product and applicable vulnerability. The GE HealthCare Product Security Portal can be searched by product and CVE (Common Vulnerabilities and Exposures – unique identifiers for vulnerabilities) and allows you to subscribe to notifications.

 

Additional Suggestions

• Back up critical systems and files on a regular basis and keep at least one copy off-site and off-line
• Train all employees on how to spot and avoid social engineering or phishing attacks
• Keep systems up to date with the latest approved software patches for all components
• Limit network connectivity to only those endpoints needed for the device/software to properly function, specifically restricting direct internet exposure as applicable
• Keep enterprise cybersecurity controls and infrastructure up to date

 

Additional information

 

Please note the following ransomware guide released by CISA and MS-ISAC: CISA and MS-ISAC Release Ransomware Guide

 

For more details in the Joint Cybersecurity Advisory: Ransomware Activity Targeting the HealthCare and Public Health Sector

 

Our goal is to continue to drive improvement in all aspects of how we serve your organization, care providers and staff.  Please follow the guidance above and contact your local GE HealthCare Support team for any questions.

 

GE HealthCare Product Security Portal

 

Information on approved patches for GE HealthCare solutions is available on our GE HealthCare Product Security Portal. Access to the portal is available at no charge for customers. If you are not already registered, please self-register using the "Register" button on the GE HealthCare Product Security Portal. If this registration does not work for any reason, please contact your local GE representative, who will be able to request access on your behalf.

Summary: GE HealthCare is disclosing security vulnerabilities within certain products using specific remote connectivity solutions.  These vulnerabilities have been reported to GE HealthCare by CyberMDX. The public disclosure of the vulnerabilities is a coordinated action between GE HealthCare and CyberMDX.

 

Background information: In 2018, GE HealthCare worked with a security researcher on a public disclosure of the use of default passwords in certain GE HealthCare medical devices. It was recently brought to GE HealthCare’s attention by CyberMDX, a different third party researcher, that the combination of default passwords with a version of remote service functionality may allow for a malicious party to gain a level of access at least comparable to a GE (remote) service user. This potential vulnerability is not directly accessible from outside the customer’s network, since the protection of this remote service connection runs to within the network boundary. However, exposure of the connection (traffic) on the customer’s network to the medical device may allow for a malicious party to use the vulnerability to gain access to the device.

 

There have been no reported incidents in a clinical use setting of such a cyber-attack occurring, or any reported injuries as a result of this issue.

 

Safety Statement: GE HealthCare has performed a rigorous left-right look throughout their product portfolio, followed by safety risk assessment of all products potentially impacted to assess worst-case scenarios of access and their potential outcome. The result of these assessments is that there is no safety concern associated, and you may continue to use the devices. Out an abundance of caution, depending on customer’s confidence in local network security, recommended best practices are described below.

 

Actions and security recommendations: Since the initial disclosure in 2018, GE HealthCare has made numerous improvements to product design development, install and service processes to ensure improvements in password use as we mature our medical device security posture in line or ahead of industry standards.

 

The above situation only applies to the specific product versions listed on the GE HealthCare Product Security Portal at https://securityupdate.gehealthcare.com/ . This Portal also lists recommendations on applicable network security best practices.

 

CVE-2020-25175 and CVE-2020-25179 have been assigned to these vulnerabilities. The scoring applied to these vulnerabilities represents a situation in default passwords have not been changed, and local networks are not considered trusted. The score assigned is a CVSS v3.1 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). In properly configured situations, an environmental score should be applied, which GE HealthCare suggests as follows, with the resulting CVSS v3.1 score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAV:A/MAC:H). For more information on individual vulnerabilities and CVE identifiers, please see the DHS-CISA advisory here.

 

There have been no reported incidents of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities.

Please reach out to your local GE Representative for any information regarding network set-up, configuration, maintenance and monitoring, as well as the specific recommendations listed above.

 

GE HealthCare Product Security Portal

 

Further details are available on the GE HealthCare Product Security Portal at https://securityupdate.gehealthcare.com/ . Access to the portal is available at no charge for customers. If you are not already registered, please self-register using the "Register" button on the GE HealthCare Product Security Portal landing page. If this registration does not work for any reason, please contact your local GE representative, who will be able to request access on your behalf.

GE HealthCare is aware of TCP/IP stack vulnerabilities named “Name:Wreck” disclosed by Forescout and JSOF researchers on April 13, 2021 (https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/namewreck-dns-vulnerabilities).

 

At this time, GE HealthCare is actively assessing products based on the available information to determine any possible impact. Please see our GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com/) for more information.

 

Updated May 7, 2021

 

GE HealthCare reviewed these vulnerabilities and determined that based on information currently available, only CVE-2016-20009 is potentially relevant for GE HealthCare products. Applicability of this CVE per product can be found on the portal. The other vulnerabilities impact TCP/IP stacks that are not used in GE HealthCare products. We will continue to monitor these vulnerabilities and provide updates through the GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com/).

Microsoft has identified remote code execution vulnerabilities in the TCP/IP implementation that affects Windows operating systems. Microsoft indicates that an attacker who successfully exploited the vulnerabilities could then run arbitrary code in the context of the Local System Account, potentially allowing for a Denial of Service (DoS) exploit of these vulnerabilities.

 

Specific details are available from Microsoft:https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/.

 

GE HealthCare is actively assessing products that utilize impacted Microsoft operating systems to determine whether any are impacted. Please see our GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com/) for more information.

Qualys has identified an elevation of privilege vulnerability in “sudo”, a utility available in major Unix-like operating systems. This vulnerability allows an unprivileged user to gain root privileges on hosts with a default sudo configuration. An attacker who successfully exploited the vulnerability can then run specially crafted applications on the device.

 

Specific details are available from Qualys: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit.

 

GE HealthCare has performed initial evaluations on this vulnerability based on the risk scoring and CVSS vector string which confirms that exploitation of this vulnerability requires local access to devices with the sudo vulnerability. Please see our GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com/) for more information.

Innokas Medical has identified vulnerabilities in VC150 Vital Signs Monitor and has released security enhancements addressing those. Based on Innokas’ assessment the vulnerabilities have no direct impact on VC150 functionality, performance, or measured clinical data.

 

As a distributor of VC150, GE HealthCare has made the new software version from Innokas available in the Flexera eDelivery System.

 

In addition the new software version is also available directly from Innokas Medical, through their software download portal https://vc150.com/downloads.

GE HealthCare is aware of the SolarWinds vulnerabilities impacting many public and private organizations in which attackers inserted malicious code into otherwise legitimate software updates.  This type of incident is referred to as a supply-chain attack because the malicious software was introduced while that software was being assembled at SolarWinds.

 

GE HealthCare product assessments have been completed against all products; none of these products are impacted by the SolarWinds vulnerabilities.  Our devices do not contain the impacted, vulnerable software components, nor do we use them for support of our products.

 

If you have any questions, please contact your local GE representative. GE HealthCare follows a vulnerability management process to support risk assessment and remediation of applicable vulnerabilities.  Approved 3rd-party security patches for impacted products are detailed on the GE HealthCare Product Security Portal.

 

Product security is a top priority for GE HealthCare, and we will continue to work with customers to provide safe and secure HealthCare.

Microsoft has identified an elevation of privilege vulnerability in Windows Domain Controller servers that impacts the following Windows Server operating systems: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server versions 1903, 1909, and 2004. Linux/Unix Systems running Samba are also impacted by this vulnerability. This vulnerability only affects servers that are configured as Domain Controllers. An attacker who successfully exploited the vulnerability can then run a specially crafted application on a device on the network.

 

Specific details are available from Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472. Details regarding the vulnerability in Samba are available: https://www.samba.org/samba/security/CVE-2020-1472.html.

 

GE HealthCare is actively assessing products that utilize impacted Microsoft Operating Systems and Unix/Linux systems with Samba.  This statement will be updated as more information becomes available, and we will notify customers through our GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com).

Microsoft has identified a remote code execution vulnerability in Windows Domain Name System (DNS) servers that impacts the following Windows Server operating systems: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server versions 1903, 1909, and 2004. This vulnerability only affects servers that are configured as DNS servers. An attacker who successfully exploited the vulnerability can then run arbitrary code in the context of the Local System Account.

 

Specific details are available from Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350.

 

GE HealthCare is actively assessing products that utilize impacted Microsoft Operating Systems. This statement will be updated as more information becomes available, and we will notify customers through our GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com/).

 

Updated August 11, 2020

 

This vulnerability also impacts Microsoft Windows Server 2003. GE HealthCare is actively assessing products that utilize Windows Server 2003 and will include that information on the GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com). Since Microsoft no longer supports Windows Server 2003 and has not released a patch for this Operating System (OS), if applicable, GE HealthCare will attempt to provide a workaround in line with information provided by Microsoft for those devices on this OS that are configured as DNS servers.

GE HealthCare is aware of several TCP/IP stack vulnerabilities named Ripple20 disclosed by Treck on June 16 2020 (https://www.us-cert.gov/ics/advisories/ICSA-20-168-01). GE HealthCare is currently not aware of any of its products directly impacted by these vulnerabilities, but there is possible impact to third party components used in combination with GE HealthCare products. Our customers can find more information through our Product Security Portal (https://securityupdate.gehealthcare.com/).

GE HealthCare is aware of several VxWorks vulnerabilities that were discovered in the TCP/IP stack (IPnet), a component of certain versions of VxWorks. Wind River has created patches for these security vulnerabilities. To date, there is no indication that the vulnerabilities have been exploited.

 

We have completed applicability assessments of our products based on product software components and, where applicable, in-depth assessments. GE HealthCare customers can review the status or potential impact per product on https://securityupdate.gehealthcare.com.

 

GE HealthCare will continue to monitor the situation and will provide any necessary updates, and we will notify customers through our Product Security Portal (https://securityupdate.gehealthcare.com).

GE HealthCare is aware of a collection of 12 vulnerabilities impacting Bluetooth Low Energy devices, known collectively as SWEYNTOOTH. The 12 vulnerabilities identified are related to specific Bluetooth hardware manufacturers utilizing various affected software development kits (SDK’s). These vulnerabilities are not strictly related to the Bluetooth Low Energy protocol itself.

 

Product assessments have been completed against all GE HealthCare products utilizing Bluetooth communication; none of these products are impacted by the SWEYNTOOTH vulnerabilities. Our devices do not contain the impacted vulnerable Bluetooth hardware components.

 

GE HealthCare standard process is to continuously monitor our products against vulnerabilities and provide updates to our customers as necessary on our product security portal at https://securityupdate.gehealthcare.com/

Summary: GE HealthCare is disclosing security vulnerabilities with potential safety implications within certain monitoring products. These vulnerabilities have been reported to GE HealthCare by CyberMDX.

 

Safety Disclosure: When connected to improperly configured Mission Critical (MC) and /or Information Exchange (IX) networks, certain versions of the CARESCAPE Telemetry Server, ApexPro Telemetry Server, CARESCAPE Central Station (CSCS) version 1 and Central Information Center (CIC) systems were identified to have vulnerabilities that if exploited could possibly result in a loss of monitoring and/or loss of alarms during active patient monitoring. The vulnerability and related risk of exploitation is higher if the above-mentioned networks are improperly configured.

 

Situation: Six (6) vulnerabilities have been identified which, if exploited, may allow an attacker to:

 

Make changes at the operating system level of the device with effects such as rendering the device unusable, otherwise interfere with the function of the device, and/or

Make certain changes to alarm settings on connected patient monitors, and/or

Utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.

 

Properly configured MC and IX networks greatly reduce but do not eliminate the ability to gain access to the networks. As a result, if the networks are properly isolated, for this issue to occur, the unauthorized person would need to gain physical access to the listed monitoring devices themselves individually or acquire direct access to the isolated MC or IX networks on-site at the hospital.

 

In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network.

 

If an attacker gains access to the MC and IX network, the following could be exploited: an exposed private key, exposed services, and components with identified software vulnerabilities. In addition to the product impact disclosure above, such a successful exploit may result in potential access to a limited history of patient data (e.g. monitoring/parameter data). The scoring applied to these vulnerabilities represents a situation in which the implementation instructions are not followed, and MC and IX networks are accessible from the hospital network. The score assigned is a CVSS v3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). In properly configured situations, an environmental score should be applied, which GE HealthCare suggests as follows, with the resulting CVSS v3.1 score of 8.2

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:L/MAC:H). For more information on individual vulnerabilities and CVE identifiers, please see the DHS-CISA advisory here.

 

Security recommendations: You can continue to use your devices. Confirm the proper configuration of the MC and IX networks to ensure the isolation and configuration meets the requirements listed in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and your product Technical and Service Manuals. A properly isolated network requires an attacker to gain physical access in order to carry out an exploit.

 

In addition to applying network management best practices, ensure:

1. MC and IX Networks are isolated;
2. MC and IX Router/Firewalls block incoming traffic, as applicable;
3. Restricted physical access to Central Stations, Telemetry Servers, MC network and IX network;
4. Default passwords are changed as applicable; and
5.  Password management best practices are followed.

There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities.

 

In addition, GE is developing software updates/patches including additional security enhancements that will be made available. In accordance with GE’s continual cybersecurity hygiene process, customers can access GE’s security website (https://securityupdate.gehealthcare.com) to receive the most up to date information, and can subscribe to receive notifications when new updates/patches are available.

 

Please reach out to your local GE Representative for any information regarding network set-up, configuration, maintenance and monitoring, or if you have any additional questions.

 

Note: While a subset of vulnerabilities exists in other products (listed in the table below), these devices have different designs and security mitigations and are therefore not reasonably expected to be susceptible to an exploit. Customers with these products do not need to take any further actions, for this issue.

Microsoft has identified a spoofing vulnerability in versions of the Windows 10 and Windows Server 2016/2019 operating systems, in the way Windows CryptoAPI validates certificates. This vulnerability could allow an exploit by using a spoofed code-signing certificate to sign malicious executables and websites.

 

Specific details are available from Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0601.

 

GE HealthCare is actively assessing products that utilize impacted Microsoft Operating Systems. This statement will be updated as more information becomes available, and we will notify customers through our GE HealthCare Product Security Portal (https://securityupdate.gehealthcare.com).

GE HealthCare is aware of Microsoft reports for users of various Windows versions to apply critical Windows Updates.  Microsoft has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in the following: Windows 7 SP1, Windows 8.1, Windows 10, and Windows Server versions like Windows Server 2008 R2, and Windows Server 2012. We are conducting assessments of our products to determine any potential impact. This statement will be updated as more information becomes available, and we will notify customers through our Product Security Portal (https://securityupdate.gehealthcare.com/) if any products are suspected or known to be at risk.

Update: Upon further investigation and out of an abundance of caution, GE HealthCare is updating the statement previously posted and directly notifying users. Please review below in its entirety.

 

Summary

GE HealthCare is aware of a disclosure by ICS-CERT/CISA describing how connecting a device serial port via an add-on and insufficiently secured third-party terminal server to a hospital network may lead to unauthorized access to certain GE HealthCare anesthesia devices. This vulnerability is not in the anesthesia device itself but may arise if users have connected the device to such insufficiently secured third-party network terminal servers.

 

The vulnerability could impact GE HealthCare anesthesia devices in the following four ways:

1. Flow Sensor

   Although extremely improbable, an insufficiently secured terminal server may provide an opportunity for a malicious actor that has already penetrated the hospital network to send fraudulent flow sensor correction parameters to certain products (see table). A terminal server is an accessory that can be obtained from a third-party supplier (non-GE HealthCare) outside of the standard product configuration. If fraudulent flow sensor correction parameters are sent, the flow sensor calibration could be impacted and cause over-delivery of tidal volume to a patient if Volume Control ventilation is being used. Over-delivery of tidal volume could in rare cases theoretically lead to an increased risk of lung injury. In addition, under-delivery could theoretically occur and cause too little total volume of gas to be delivered. If this were to occur without normal clinical intervention, there could theoretically be compromise of patient oxygenation or ventilation.

    

   Note: the anesthesia machines involved have analog gas controls and a mechanical vaporizer, therefore remote adjustment of gas mix or drug levels is not possible.

    

2. Alarm

   Alarms may be silenced by a malicious actor, however, only after the initial audible alarm sounds. Visual alarms continue to be displayed and available to the attending clinician. As well, any new alarms break through the silence alarm command and provide audio alert to the user. Anesthesia devices are qualified as an “attended device” where a highly skilled clinician is continuously monitoring the device and this scenario is not reasonably expected to cause patient harm.

    

3. Clock

   The device date and time clock may be modified by a malicious actor on certain products (see table), however, this modification cannot happen after the patient procedure has started and does not impact the intended use of the device. The time is displayed on the screen at all times. This scenario is not reasonably expected to cause patient harm.

    

4. Patient weight and age

   A malicious actor could modify the patient weight and age on certain products (see table), however, these parameters must be confirmed and accepted prior to device use by the clinician, do not automatically impact device performance and cannot be modified while the device is in use. This scenario is not reasonably expected to cause patient harm.

    

   There have not been any incidences of cyber-attacks or injuries reported to GE HealthCare because of these issues.

Update: Initial product assessments have been completed; GE HealthCare customers can obtain a per-product view of potentially impacted areas based on a preliminary applicability assessment. Currently, all potentially affected products are being assess by internal GE HealthCare teams to determine remediation actions; over the coming days to weeks, the results of these assessments, including validated patches and patch installation instructions will be updated on the Vulnerability Management Portal as they become available.

 

Original message: GE HealthCare is aware of Microsoft reports for users of various Windows versions to apply a critical Windows Update. Microsoft has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in the following: Windows XP, Windows 7, and Windows Server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft has released patches for Windows XP and Windows Server 2003 specifically, even though both operating systems are no longer supported. We are conducting assessments of our products to determine any potential impact. This statement will be updated as more information becomes available, and we will notify customers through our Vulnerability Management Portal (https://securityupdate.gehealthcare.com/) if any products are suspected or known to be at risk.

GE HealthCare is aware that a security researcher has discovered two security vulnerabilities within a Silex wireless bridge used as an optional accessory in certain GE HealthCare ECG products. If exploited, these vulnerabilities could allow a threat actor to interfere with communications between the product and the hospital network. GE is not aware of any actual exploit of these vulnerabilities. Potential exploit paths do not affect clinical function of the impacted devices. This information was made publicly available 08 May 2018 via ICS-CERT advisory “ICSMA-18-128-01 Silex Technology SX-500/SD-320AN or GE HealthCare MobileLink” at link https://ics-cert.us-cert.gov/advisories/ICSMA-18-128-01 .

 

This optional bridge accessory may be used in GE HealthCare’s MAC 3500, MAC 5000 (product end of life in 2012), MAC 5500, and MAC 5500 HD. The noted vulnerability impacts this accessory and its function as a bridge to the hospital network. Exploit of the vulnerability requires proximity to the devices and would not impact clinical function or data protection.

 

 The two vulnerabilities and mitigation methods are:

1. CVE-2018-6020, GEH-500 Version 1.54 and prior (integrated into GE MobileLink).  Mitigation: Enable the “update” account within the web interface which is not enabled by default. Set the secondary password for the “update” account to prevent unauthenticated changes to the bridge configuration. 

1. CVE-2018-6021, GEH-SD-320AN,  Version GEH-1.1 and prior (integrated into GE MobileLink). Mitigation: The Silex firmware upgrade is approved by GE HealthCare and customers can download the upgrade and instructions via this link:  http://silextechnology.com/geh320an/

 

Medical device security is a top priority for GE HealthCare, and we will continue to work with customers to provide safe and secure HealthCare.

National Cybersecurity and Communications Integration Center for Industrial Control Systems (NCCIC/ICS-CERT) has issued an advisory addressing use of default credentials in certain GE HealthCare products. This NCCIC/ICS-CERT advisory provides an update to a US-CERT bulletin released in August 2015, and all information on the default credentials was previously made public in the 2015 US-CERT bulletin.

 

Background

 

In 2015, a researcher submitted information to ICS-CERT regarding the use of default and/or hard-coded passwords in certain GE HealthCare products. These passwords were given in Operator or Service Manuals that were made available within a GE HealthCare resource library accessible to customers via hardcopy and internet. This information was subsequently provided by the researcher to US-CERT and published in US-CERT Bulletin SB15-222, released 10 August 2015. The risk scores given in this bulletin were not reviewed with GE HealthCare prior to publication and did not reflect any technical product risk assessment. Upon investigation, GE HealthCare determined that most of the passwords were changeable based on existing product documentation, while some passwords did not have change processes within existing documentation. GE HealthCare recognizes that current industry best practices include restrictions and safeguards on the use of passwords and will continue to support customer requests for assistance to change these passwords.

 

GE HealthCare Risk Assessment Process

 

GE HealthCare has evaluated the password concern raised by the NCCIC/ICS-CERT advisory through an established risk management process addressing safety risks, as well as general security risks to confidentiality, integrity, and availability of device assets. GE HealthCare’s risk assessment concluded that safety risk in these products is at an acceptable level. This conclusion is supported by our historical and ongoing surveillance of products in use, as well as safety risk assessments conducted during the product design process. All these products have been subject to ongoing medical device post market surveillance and GE HealthCare has no evidence of any adverse safety event or security event pertaining to the confidentiality, integrity, or availability of these devices caused by misuse of these passwords. The design of these products includes mitigations against potential safety risks associated with misuse of the passwords. GE HealthCare will continue to monitor our products for safety and security events and respond our customers’ need for information related to the security of our devices.

GE HealthCare is aware of the recent reports of a widespread ransomware event, known as “Petya,” that is affecting entities globally in a diverse range of industries. Based on the information currently available, it appears that a common distribution method of the Petya ransomware is through spear phishing using a malicious document (e.g., e-mail). Similar to the recent WannaCry event, once the ransomware has made it onto a system, Petya encrypts the hard-drive and demands a Bitcoin ransom to unlock it.

 

At this time, there is no expected impact to GE HealthCare devices that have been remediated through patching to address the MS17-010 SMBv1 (WannaCry) vulnerability. However, software and devices that have not yet been patched to address MS17-010 SMBv1 remain vulnerable to the Petya ransomware. GE HealthCare recommends that you apply the necessary patches as soon as possible. For more information regarding specific devices or products in your installed base, please contact your GE Service Representative or GE Service Call Center.

 

GE HealthCare will continue to monitor the situation and will provide any necessary updates.

Overview and background

 

GE HealthCare is closely monitoring and taking action to address an ongoing ransomware campaign known as WannaCry, WCry, or Wanna Decryptor, targeting Windows-based systems globally. The WannaCry “ransomware” (a form of malware) propagates either through phishing campaigns or through the Microsoft vulnerability MS17-010 SMBv1. Once WannaCry enters a device, it encrypts the data on the device and demands a bitcoin ransom in exchange for releasing the data and unlocking the device.

 

GE HealthCare initial response

 

GE HealthCare has activated a cross-functional engineering, cybersecurity, services and technology team to undertake a full review of all products.  Our teams around the world are continuously monitoring the situation to ensure customers and their services teams have access to the most up-to-date information available in a highly dynamic situation.

 

Microsoft patch

 

Microsoft has issued a patch for all currently supported versions of Microsoft Windows, including Windows Vista, Windows 7, Windows 8.1, and Windows Server 2008 through 2016. Additionally, since the attack, Microsoft has issued patches for Windows XP, Windows 8, and Windows Server 2003.  Additional information regarding Microsoft’s support of this security incident can be found HERE.

 

What to expect?

 

GE HealthCare is committed to supporting our customers to maintain their systems and products in a cyber-secure manner. If customers have been affected by the ransomware, or if they have concerns about a particular product, they are encouraged to contact their GE Service representative or their GE Service Call Center.  Although each customer has unique circumstances, as a general matter, for any device with a Microsoft version for which Microsoft has issued a patch (see above), support is likely to consist of the installation of a Microsoft-approved patch that is either installed by the customer or by our services team.

 

We are creating practical guidance for the installation process and distributing this guidance through GE HealthCare Service and Call Center teams for use in responding to customer questions.

 

GE HealthCare is providing Services representatives with ongoing updates from Microsoft and industry bodies to ensure customers receive the most current information.  We are committed to partnering with our customers and other stakeholders to implement robust product security measures to protect the integrity of patient care around the world.