Saturday, March 6, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

MDhex vulnerabilities impact GE patient vital signs monitoring devices

January 24, 2020
in Internet Security
MDhex vulnerabilities impact GE patient vital signs monitoring devices
587
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

GE Healthcare Carescape CIC Pro workstation

You might also like

Zigbee inside the Mars Perseverance Mission and your smart home

FTC joins 38 states in takedown of massive charity robocall operation

Accellion zero-day claims a new victim in cybersecurity company Qualys


Image: GE Healthcare

Security researchers from CyberMDX, a cyber-security company specialized in healthcare security, have disclosed today technical details about six vulnerabilities they are collectively referring to as MDhex.

The vulnerabilities impact seven GE Healthcare devices meant for patient vital signs monitoring. These are devices installed near patient beds, meant to collect data from sick patients, and send it back to a telemetry server, monitored by clinical staff. Per CyberMDX, impacted GE Healthcare devices include:

  • Central Information Center (CIC), versions 4.x and 5.x
  • CARESCAPE Central Station (CSCS), versions 1.x and 2.x
  • CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
  • Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
  • B450 patient monitor, version 2.x
  • B650 patient monitor, versions 1.x and 2.x
  • B850 patient monitor, versions 1.x and 2.x

The MDhex security flaws, according to CyberMDX experts, allow an attacker with access to a hospital’s network to take over vulnerable patient monitors and/or telemetry aggregation servers, and then silence alerts, putting patient lives at risk.

Besides the CyberMDX advisory, the Department of Homeland Security has also published security advisories today meant to warn healthcare providers about the MDhex vulnerabilities.

The DHS CISA and FDA advisories contain mitigations that hospitals and clinics can deploy to prevent attackers from exploiting the devices. The general advice is to place these devices on their own separate networks, not connected to the internet, and isolated from any other hospital systems.

Patches coming in Q2 2020

Patches are not available at the time of writing. A GE Healthcare spokesperson told ZDNet in an email this week that the company plans to release software updates in Q2 2020 to address the reported MDhex issues.

According to CyberMDX experts, the vulnerabilities are as bad as they can be, with five out of the six MDhex bugs receiving a rating of 10 out of 10 on the CVSSv3 severity scale.

CVE Severity Description
CVE-2020-6961 10/10 SSH private key included on devices. Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device’s very availability as well as the confidentiality and integrity of any data it holds.
CVE-2020-6962 10/10 Using hard-coded SMB credentials that are universally shared across an entire line of devices in the CARESCAPE and GE Health family of products, an attacker could establish a remote SMB connection and receive read/write access to all files on the system.
CVE-2020-6963 10/10 MultiMouse / Kavoom KM software can be run to allow remote keyboard/mouse and clipboard control of a machine.
CVE-2020-6964 10/10 Hardcoded VNC credentials are included with the affected GE devices.
CVE-2020-6965 10/10 Affected GE Healthcare devices come pre-installed with a Webmin (web management console) version that contains known vulnerabilities.
CVE-2020-6966 8.5/10 GE devices come pre-loaded with a software update manager to facilitate the remote deployment of updates. This software update manager allows remote file upload.

However, a GE Healthcare spokesperson disputed the severity ratings, contesting that “in properly configured situations, application of a recommended environmental score modification would land the vulnerabilities at a Common Vulnerability Scoring System (CVSS) score of 8.2,” and not 10/10.

The healthcare device vendor also says that if vendors configure these devices properly, on isolated networks, the danger is much lower to hospitals and their patients.

Hospitals have been notified since last year

GE Healthcare has known about these bugs since last year, and even before today’s public disclosure, it has been working to reduce its impact by secretly warning hospitals in advance.

“GE Healthcare began sending letters to customers globally on November 12, 2019, which reminds users of the proper configuration of the patient monitor networks,” a GE spokesperson told ZDNet.

“We are advising our customers to ensure their networks are properly configured and isolated to protect against these potential concerns and mitigate the risk.”

GE Healthcare said it also plans to publish these mitigations on its web portal’s security section, to make them broadly available.

At the time of writing, the vendor said it was “not aware of any incidents where these vulnerabilities have been exploited in a clinical situation.”

This is the second major set of vulnerabilities GE Healthcare has dealt with during the past year. CyberMDX found security flaws in several of the company’s anesthesia machines last year.

Credit: Zdnet

Previous Post

Community of AI Artists Exploring Creativity with Technology

Next Post

FCA & BofE launch AI and machine learning forum

Related Posts

Zigbee inside the Mars Perseverance Mission and your smart home
Internet Security

Zigbee inside the Mars Perseverance Mission and your smart home

March 6, 2021
FTC joins 38 states in takedown of massive charity robocall operation
Internet Security

FTC joins 38 states in takedown of massive charity robocall operation

March 5, 2021
Accellion zero-day claims a new victim in cybersecurity company Qualys
Internet Security

Accellion zero-day claims a new victim in cybersecurity company Qualys

March 5, 2021
GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines
Internet Security

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

March 5, 2021
With its acquisition of Auth0, Okta goes all in on CIAM
Internet Security

With its acquisition of Auth0, Okta goes all in on CIAM

March 5, 2021
Next Post
FCA & BofE launch AI and machine learning forum

FCA & BofE launch AI and machine learning forum

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine learning the news for better macroeconomic forecasting
Machine Learning

Reducing Blind Spots in Cybersecurity: 3 Ways Machine Learning Can Help

March 6, 2021
5 Tech Trends Redefining the Home Buying Experience in 2021 | by Iflexion | Mar, 2021
Neural Networks

5 Tech Trends Redefining the Home Buying Experience in 2021 | by Iflexion | Mar, 2021

March 6, 2021
Zigbee inside the Mars Perseverance Mission and your smart home
Internet Security

Zigbee inside the Mars Perseverance Mission and your smart home

March 6, 2021
Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!
Internet Privacy

Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!

March 6, 2021
Autonomous Cars And Minecraft Have This In Common  
Artificial Intelligence

Autonomous Cars And Minecraft Have This In Common  

March 5, 2021
The ML Times Is Growing – A Letter from the New Editor in Chief – Machine Learning Times
Machine Learning

Explainable Machine Learning, Model Transparency, and the Right to Explanation « Machine Learning Times

March 5, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Reducing Blind Spots in Cybersecurity: 3 Ways Machine Learning Can Help March 6, 2021
  • 5 Tech Trends Redefining the Home Buying Experience in 2021 | by Iflexion | Mar, 2021 March 6, 2021
  • Zigbee inside the Mars Perseverance Mission and your smart home March 6, 2021
  • Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked! March 6, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates