July 8, 2019
ICS advisory regarding GE anesthesia devices
GE Healthcare is aware of a disclosure made by CyberMDX, describing how connecting a device serial port via an add-on and insufficiently secured terminal server to a TCP/IP network may lead to unauthorized access to such device. The disclosure describes a situation with a GE Healthcare anesthesia device that may allow a malicious party on the same network to modify gas composition parameters to correct flow sensor readings for gas density, modify device time and silence alarms after the initial audible alarm under certain circumstances. There is not an identified vulnerability in the device itself. GE Healthcare has determined that this scenario does not provide access to data and does not introduce clinical hazard or patient risk.
GE Healthcare, CyberMDX and ICS-CERT/CISA have interacted throughout the disclosure process.
For more information from ICS-CERT/CISA see: https://www.us-cert.gov/ics/advisories/icsma-19-190-01
GE Healthcare conducted a formal internal risk investigation and determined that while there exists, via certain insufficiently secured terminal server implementations, the potential ability to modify gas composition parameters to correct flow sensor readings for gas density, modify device time and silence alarms after the initial audible alarm, there is no introduction of clinical hazard or direct patient risk.
GE Healthcare has concluded that:
- the potential ability to remotely modify GE Healthcare anesthesia device parameters is an effect resulting from a configuration exposure through certain insufficiently secured terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks;
- while the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm; and
- the potential ability to modify GE Healthcare anesthesia device parameters or silence alarms does not demonstrate a vulnerability of the GE Healthcare anesthesia device functionality itself.
Anesthesia devices are qualified as an “attended device,” and device location is where primary control is maintained by the physician. While an alarm could potentially be silenced via the insufficiently secured terminal server TCP/IP connection to the GE Healthcare anesthesia device, both audible annunciation of the alarm, and visual signaling of the alarm are presented to the attending clinician at the GE Healthcare anesthesia device interface.
The ICS-Cert publication lists the Aestiva and Aespire versions 7100 and 7900 anesthesia devices.
- The ability to modify gas composition parameters to correct flow sensor readings for gas density is restricted to anesthesia devices sold prior to 2009, which may have employed an external gas monitor.
GE Healthcare recommends organizations use secure terminal servers when choosing to connect GE Healthcare anesthesia device serial ports to TCP/IP networks. Secure terminal servers when correctly configured provide robust security features including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options.
GE Healthcare recommends that organizations utilize best practices for terminal servers that include governance, management and secure deployment measures such as network segmentation, VLANs and device isolation to enhance existing security measures.
If you have any questions, please reach out to your local GE Service Representative.
Original post: May 14, 2019 – Latest update: May 21, 2019
BlueKeep (MS CVE-2019-0708 - Remote Desktop Services Code Execution Vulnerability)
Update: Initial product assessments have been completed; GE Healthcare customers can obtain a per-product view of potentially impacted areas based on a preliminary applicability assessment. Currently, all potentially affected products are being assess by internal GE Healthcare teams to determine remediation actions; over the coming days to weeks, the results of these assessments, including validated patches and patch installation instructions will be updated on the Vulnerability Management Portal as they become available.
Original message: GE Healthcare is aware of Microsoft reports for users of various Windows versions to apply a critical Windows Update. Microsoft has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in the following: Windows XP, Windows 7, and Windows Server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft has released patches for Windows XP and Windows Server 2003 specifically, even though both operating systems are no longer supported. We are conducting assessments of our products to determine any potential impact. This statement will be updated as more information becomes available, and we will notify customers through our Vulnerability Management Portal (https://securityupdate.gehealthcare.com/) if any products are suspected or known to be at risk.
Silex Bridge Accessory Vulnerability in GE Healthcare ECG Devices
GE Healthcare is aware that a security researcher has discovered two security vulnerabilities within a Silex wireless bridge used as an optional accessory in certain GE Healthcare ECG products. If exploited, these vulnerabilities could allow a threat actor to interfere with communications between the product and the hospital network. GE is not aware of any actual exploit of these vulnerabilities. Potential exploit paths do not affect clinical function of the impacted devices. This information was made publicly available 08 May 2018 via ICS-CERT advisory “ICSMA-18-128-01 Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink” at link https://ics-cert.us-cert.gov/advisories/ICSMA-18-128-01 .
This optional bridge accessory may be used in GE Healthcare’s MAC 3500, MAC 5000 (product end of life in 2012), MAC 5500, and MAC 5500 HD. The noted vulnerability impacts this accessory and its function as a bridge to the hospital network. Exploit of the vulnerability requires proximity to the devices and would not impact clinical function or data protection.
The two vulnerabilities and mitigation methods are:
- CVE-2018-6020, GEH-500 Version 1.54 and prior (integrated into GE MobileLink). Mitigation: Enable the “update” account within the web interface which is not enabled by default. Set the secondary password for the “update” account to prevent unauthenticated changes to the bridge configuration.
- CVE-2018-6021, GEH-SD-320AN, Version GEH-1.1 and prior (integrated into GE MobileLink). Mitigation: The Silex firmware upgrade is approved by GE Healthcare and customers can download the upgrade and instructions via this link: http://silextechnology.com/geh320an/
Medical device security is a top priority for GE Healthcare, and we will continue to work with customers to provide safe and secure healthcare.
NCCIC/ICS-CERT Medical Device Advisory re GE Medical Devices
National Cybersecurity and Communications Integration Center for Industrial Control Systems (NCCIC/ICS-CERT) has issued an advisory addressing use of default credentials in certain GE Healthcare products. This NCCIC/ICS-CERT advisory provides an update to a US-CERT bulletin released in August 2015, and all information on the default credentials was previously made public in the 2015 US-CERT bulletin.
In 2015, a researcher submitted information to ICS-CERT regarding the use of default and/or hard-coded passwords in certain GE Healthcare products. These passwords were given in Operator or Service Manuals that were made available within a GE Healthcare resource library accessible to customers via hardcopy and internet. This information was subsequently provided by the researcher to US-CERT and published in US-CERT Bulletin SB15-222, released 10 August 2015. The risk scores given in this bulletin were not reviewed with GE Healthcare prior to publication and did not reflect any technical product risk assessment. Upon investigation, GE Healthcare determined that most of the passwords were changeable based on existing product documentation, while some passwords did not have change processes within existing documentation. GE Healthcare recognizes that current industry best practices include restrictions and safeguards on the use of passwords and will continue to support customer requests for assistance to change these passwords.
GE Healthcare Risk Assessment Process
GE Healthcare has evaluated the password concern raised by the NCCIC/ICS-CERT advisory through an established risk management process addressing safety risks, as well as general security risks to confidentiality, integrity, and availability of device assets. GE Healthcare’s risk assessment concluded that safety risk in these products is at an acceptable level. This conclusion is supported by our historical and ongoing surveillance of products in use, as well as safety risk assessments conducted during the product design process. All these products have been subject to ongoing medical device post market surveillance and GE Healthcare has no evidence of any adverse safety event or security event pertaining to the confidentiality, integrity, or availability of these devices caused by misuse of these passwords. The design of these products includes mitigations against potential safety risks associated with misuse of the passwords. GE Healthcare will continue to monitor our products for safety and security events and respond our customers’ need for information related to the security of our devices.
GE Healthcare Guidance on Petya Ransomware
GE Healthcare is aware of the recent reports of a widespread ransomware event, known as “Petya,” that is affecting entities globally in a diverse range of industries. Based on the information currently available, it appears that a common distribution method of the Petya ransomware is through spear phishing using a malicious document (e.g., e-mail). Similar to the recent WannaCry event, once the ransomware has made it onto a system, Petya encrypts the hard-drive and demands a Bitcoin ransom to unlock it.
At this time, there is no expected impact to GE Healthcare devices that have been remediated through patching to address the MS17-010 SMBv1 (WannaCry) vulnerability. However, software and devices that have not yet been patched to address MS17-010 SMBv1 remain vulnerable to the Petya ransomware. GE Healthcare recommends that you apply the necessary patches as soon as possible. For more information regarding specific devices or products in your installed base, please contact your GE Service Representative or GE Service Call Center.
GE Healthcare will continue to monitor the situation and will provide any necessary updates.
GE Healthcare Guidance on WannaCry Ransomware
Overview and background
GE Healthcare is closely monitoring and taking action to address an ongoing ransomware campaign known as WannaCry, WCry, or Wanna Decryptor, targeting Windows-based systems globally. The WannaCry “ransomware” (a form of malware) propagates either through phishing campaigns or through the Microsoft vulnerability MS17-010 SMBv1. Once WannaCry enters a device, it encrypts the data on the device and demands a bitcoin ransom in exchange for releasing the data and unlocking the device.
GE Healthcare initial response
GE Healthcare has activated a cross-functional engineering, cybersecurity, services and technology team to undertake a full review of all products. Our teams around the world are continuously monitoring the situation to ensure customers and their services teams have access to the most up-to-date information available in a highly dynamic situation.
Microsoft has issued a patch for all currently supported versions of Microsoft Windows, including Windows Vista, Windows 7, Windows 8.1, and Windows Server 2008 through 2016. Additionally, since the attack, Microsoft has issued patches for Windows XP, Windows 8, and Windows Server 2003. Additional information regarding Microsoft’s support of this security incident can be found HERE.
What to expect?
GE Healthcare is committed to supporting our customers to maintain their systems and products in a cyber-secure manner. If customers have been affected by the ransomware, or if they have concerns about a particular product, they are encouraged to contact their GE Service representative or their GE Service Call Center. Although each customer has unique circumstances, as a general matter, for any device with a Microsoft version for which Microsoft has issued a patch (see above), support is likely to consist of the installation of a Microsoft-approved patch that is either installed by the customer or by our services team.
We are creating practical guidance for the installation process and distributing this guidance through GE Healthcare Service and Call Center teams for use in responding to customer questions.
GE Healthcare is providing Services representatives with ongoing updates from Microsoft and industry bodies to ensure customers receive the most current information. We are committed to partnering with our customers and other stakeholders to implement robust product security measures to protect the integrity of patient care around the world.