The first vulnerability found by CyberMDX consists of a hard-coded private key in the SSH server shipped with all CIC Pro devices. The CIC Pro workstations are connected to CARESCAPE, GE's real-time monitoring network for medical facilities, so they can interact with and display data from other devices on the network, including telemetry servers and bedside monitors. Their investigation started with a look at the CIC Pro Clinical Information Center, a workstation that nurses and caregivers use to monitor real-time waveforms and vital information from multiple patients at the same time, review historical and demographic data, and manage patient alarms. Researchers from CyberMDX, a cybersecurity firm that focuses on services for the healthcare industry, found six high-risk vulnerabilities in GE Healthcare products that they've collectively dubbed MDhex. These types of issues have plagued embedded devices for many years and are the result of old product design practices that focused more on usability and ease of remote support than security. The identified issues involve the use of shared hard-coded credentials or no credentials at all for remote management features, as well as the use of outdated applications with known vulnerabilities. Researchers have found insecure configurations of the remote access and administration features present in several patient monitoring devices and servers made by GE Healthcare that are used in clinics and hospitals around the world.
0 kommentar(er)
