OTPulse

GE Healthcare Imaging and Ultrasound Products

Plan PatchCVSS 9.8ICS-CERT ICSMA-20-343-01Dec 8, 2020
GE VernovaHealthcare
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

GE Healthcare diagnostic imaging and ultrasound products contain authentication weaknesses that allow an attacker with network access to gain remote access with privileges comparable to GE remote service accounts. Affected products include MRI systems (Signa, Brivo, Optima MR), ultrasound devices (LOGIQ, Vivid, Voluson), CT scanners, X-ray systems, nuclear medicine equipment, and mammography devices across all versions and revisions listed. Successful exploitation could expose patient health information (PHI) or allow arbitrary code execution, potentially disrupting imaging operations or allowing manipulation of patient data. GE states there is no software patch available but recommends firewall configuration hardening, default password changes, and adherence to clinical network security best practices.

What this means
What could happen
An attacker with network access to affected GE diagnostic imaging devices could gain remote access comparable to GE service credentials, potentially exposing patient health information or running arbitrary code that disrupts imaging operations.
Who's at risk
All GE Healthcare imaging and ultrasound equipment in diagnostic departments is affected, including MRI systems (Signa, Brivo, Optima MR), ultrasound systems (LOGIQ, Vivid, Voluson, EchoPAC), CT scanners (LightSpeed, Optima CT, BrightSpeed, Discovery CT, Revolution), X-ray systems (Innova, Optima IGS, Definium, Brivo XR, Precision), nuclear medicine systems (Discovery NM, Brivio NM, Infinia, Ventri), and mammography devices (Senographe, Seno). Any healthcare facility using these devices is affected.
How it could be exploited
An attacker on the hospital network could target default credentials or weak authentication mechanisms on imaging devices (MRI, ultrasound, CT, X-ray, nuclear medicine systems). Once access is gained, the attacker could execute commands with service-level privileges to read/modify patient data or disrupt device availability.
Prerequisites
  • Network access to the healthcare delivery organization's network where imaging devices are located
  • Ability to reach affected devices on the clinical network (no requirement to be on the same subnet if routing permits)
Remotely exploitableNo authentication required (default credentials)Low attack complexityNo patch availableAffects healthcare delivery systems and patient dataWide deployment across hospital diagnostic imaging departments
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (106)
106 pending
ProductAffected VersionsFix Status
3.0T Signa Hdxt: HD 16 | HD23HD 16 | HD23No fix yet
3.0T Signa HDXx: HD 16 | HD23HD 16 | HD23No fix yet
1.5T Brivo MR355: SV20.1 | SV23.0SV20.1 | SV23.0No fix yet
Optima MR360: SV20.1 | SV23.0SV20.1 | SV23.0No fix yet
1.5T Signa Hdx: HD 16 | HD23HD 16 | HD23No fix yet
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGChange default passwords on all affected imaging devices to strong, unique credentials
WORKAROUNDImplement firewall rules to restrict access to imaging device management ports to authorized clinical engineering and IT staff only
WORKAROUNDApply GE-provided mitigations available on the GE Healthcare Product Security Portal for your specific device models and software versions
Long-term hardening
0/2
HARDENINGSegment imaging devices onto a separate VLAN with strict controls on which stations and services can communicate with them
HARDENINGReview and enforce clinical network security best practices as recommended by GE (e.g., network monitoring, access controls, system hardening)
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f77a2e80-9a12-406e-a3a9-08f32d55b9e1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.