Alert over critical 'MDhex' vulnerabilities in GE patient monitoring devices
If exploited, the vulnerabilities could enable hackers to steal confidential health details of patients
Researchers from cyber security firm CyberMDX have discovered six serious security flaws, collectively referred to as 'MDhex', in GE Healthcare patient monitoring devices.
The security flaws are considered so series that the US Department of Homeland Security (DHS) issued an alert on Thursday to warn users. The advisory warned that the vulnerabilities, if exploited, could affect device functionality, while enabling attackers to steal the health details of patients.
The vulnerabilities have been indexed as CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, and CVE-2020-6966, impact the following patient monitoring platforms:
- Clinical Information Centre (CIC), Versions 4.X and 5.X
- ApexPro Telemetry Server, Versions 4.2 and prior
- CARESCAPE Telemetry Server, Versions 4.2 and prior
- CARESCAPE Telemetry Server, Version 4.3 (Impacted by CVE-2020- 6962 and CVE-2020-6961)
- CARESCAPE Central Station (CSCS), Versions 1.X and Version 2.X (Impacted by CVE-2020- 6962 and CVE-2020-6964)
- B450, Version 2.X (Impacted by CVE-2020- 6962 and CVE-2020-6965)
- B650, Version 1.X and Version 2.X (Impacted by CVE-2020- 6962 and CVE-2020-6965)
- B850, Version 1.X and Version 2.X (Impacted by CVE-2020- 6962 and CVE-2020-6965)
The CIC Pro workstations are used in hospitals to view patients' physiological data and waveforms, along with patient demographic data, in real time.
The technology, which involves data transmission from different side-monitors via a shared network, can be centrally managed, although these features are also sources of potential issues.
The security vulnerabilities could enable hackers to interfere with device functions, modify alarm settings and steal patients' health information.
CyberMDX researchers disclosed the vulnerabilities to GE on 18th September 2019 and responsibly disclosed them on 23rd January 2019.
Cyber security experts at GE, CyberMDX, and CISA have analysed the bugs over the past four months so that subsequent mitigations could be effectively managed.
Out of six vulnerabilities, five were assigned a severity score of 10 out of 10, while one got a score of 8.5.
There are currently no reports of attackers specifically targeting these vulnerabilities, according to researchers.