Alert over critical 'MDhex' vulnerabilities in GE patient monitoring devices

If exploited, the vulnerabilities could enable hackers to steal confidential health details of patients

Researchers from cyber security firm CyberMDX have discovered six serious security flaws, collectively referred to as 'MDhex', in GE Healthcare patient monitoring devices.

The security flaws are considered so series that the US Department of Homeland Security (DHS) issued an alert on Thursday to warn users. The advisory warned that the vulnerabilities, if exploited, could affect device functionality, while enabling attackers to steal the health details of patients.

The vulnerabilities have been indexed as CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, and CVE-2020-6966, impact the following patient monitoring platforms:

The CIC Pro workstations are used in hospitals to view patients' physiological data and waveforms, along with patient demographic data, in real time.

The technology, which involves data transmission from different side-monitors via a shared network, can be centrally managed, although these features are also sources of potential issues.

The security vulnerabilities could enable hackers to interfere with device functions, modify alarm settings and steal patients' health information.

CyberMDX researchers disclosed the vulnerabilities to GE on 18th September 2019 and responsibly disclosed them on 23rd January 2019.

Cyber security experts at GE, CyberMDX, and CISA have analysed the bugs over the past four months so that subsequent mitigations could be effectively managed.

Out of six vulnerabilities, five were assigned a severity score of 10 out of 10, while one got a score of 8.5.

There are currently no reports of attackers specifically targeting these vulnerabilities, according to researchers.