National Cybersecurity and Communications Integration Center for Industrial Control Systems (NCCIC/ICS-CERT) has issued an advisory addressing use of default credentials in certain GE Healthcare products. This NCCIC/ICS-CERT advisory provides an update to a US-CERT bulletin released in August 2015, and all information on the default credentials was previously made public in the 2015 US-CERT bulletin.
In 2015, a researcher submitted information to ICS-CERT regarding the use of default and/or hard-coded passwords in certain GE Healthcare products. These passwords were given in Operator or Service Manuals that were made available within a GE Healthcare resource library accessible to customers via hardcopy and internet. This information was subsequently provided by the researcher to US-CERT and published in US-CERT Bulletin SB15-222, released 10 August 2015. The risk scores given in this bulletin were not reviewed with GE Healthcare prior to publication and did not reflect any technical product risk assessment. Upon investigation, GE Healthcare determined that most of the passwords were changeable based on existing product documentation, while some passwords did not have change processes within existing documentation. GE Healthcare recognizes that current industry best practices include restrictions and safeguards on the use of passwords and will continue to support customer requests for assistance to change these passwords.
GE Healthcare Risk Assessment Process
GE Healthcare has evaluated the password concern raised by the NCCIC/ICS-CERT advisory through an established risk management process addressing safety risks, as well as general security risks to confidentiality, integrity, and availability of device assets. GE Healthcare’s risk assessment concluded that safety risk in these products is at an acceptable level. This conclusion is supported by our historical and ongoing surveillance of products in use, as well as safety risk assessments conducted during the product design process. All these products have been subject to ongoing medical device post market surveillance and GE Healthcare has no evidence of any adverse safety event or security event pertaining to the confidentiality, integrity, or availability of these devices caused by misuse of these passwords. The design of these products includes mitigations against potential safety risks associated with misuse of the passwords. GE Healthcare will continue to monitor our products for safety and security events and respond our customers’ need for information related to the security of our devices.