Today, GE Healthcare — in coordination with CyberMDX and CISA (formerly ICS-CERT) — publicly disclosed the discovery of six software design flaws affecting seven products in their popular CARESCAPE line. These flaws represent a significant cybersecurity risk and offer an open door to bad actors who might seek to disrupt hospital operations or steal valuable medical data.
Together, this bundle of vulnerabilities has been dubbed "MDhex" — a reference not only to the number of CVEs issued (hex coming from the Greek for six) and their existence in medical devices (MD), but a nod to the researchers responsible for their discovery (CyberMDX) and the potential for bad actors to wreak havoc from a distance (as in a witch's hex).
The CyberMDX research team found these vulnerabilities while investigating the use of deprecated webmin versions and potentially problematic open port configurations in GE's CARESCAPE CIC Pro workstation — a popular product among CyberMDX customers.
The investigation resulted in CISA Advisory ICSMA-20-023-01, which lists six separate vulnerabilities — CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, and CVE-2020-6966. Five of the vulnerabilities were given max CVSS (v3.1) values of 10, while the remaining vulnerability scored an 8.5.
After CyberMDX flagged these vulnerabilities and brought them to the attention of GE Healthcare. GE then launched their own internal investigation that found these vulnerabilities to extend to other products in their CARESCAPE portfolio. In total, GE identified six additional devices affected; namely, three different models of GE's CARESCAPE Patient Monitors, the CARESCAPE Central Station (CSCS), the Apex Pro Telemetry Server/Tower, and the CARESCAPE Telemetry Server.
Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe. Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be very large.
The Valued Role of Vulnerability Research
For most industries, it's third-party vulnerability researchers that are out in front of the market — calling attention to security gaps and pushing both device manufacturers and user to catch up their design practices and management practices, respectively.
Unfortunately, in healthcare, more often than not, that vital role goes unfilled. Since medical devices are significantly more difficult to access, they're much less researched. For example, many medical devices, like MRI machines, are prohibitively expensive. This prevents most independent researchers from even entertaining the notion of a research project centered on those devices. Similarly, there may be laws and vendor policies that prevent non-healthcare entities from getting their hands on medical devices. The technical complexity associated with proper device installation, configuration, and calibration may also serve as an impediment to research.
Regardless of the reason though, the fact is that healthcare technologies and environments represent a distinctly under-explored area of vulnerability research. With a team devoted specifically to original medical device vulnerability research, CyberMDX has resolved to help change that.
Leveraging our healthcare cyber intelligence solution, we work with our customers and make use of our own medical device lab to identify and drill into the technology issues and suspected security shortcomings that are most likely to impact hospitals. And so it was in the case of MDhex.
Immediately upon discovering, validating, and documenting these vulnerabilities, CyberMDX reached out to the appropriate parties to coordinate a responsible path forward. Below is a timeline covering the behind-the-scene interactions that took MDhex from discovery to disclosure:
Immediate Steps to Take
In response to MDhex, GE is developing software updates with additional security enhancements. Affected device users are encouraged to access GE’s security website to receive the most up-to-date information and to subscribe to notifications when patches become available.
Until such a time as those patches are issued, you are advised to take the mitigating steps detailed below.
- Provided it is not absolutely necessary for the device’s core clinical functionality, utilize a firewall to block the following ports:
- 22 (SSH)
- 445/137 (SMB)
- 5225 (MultiMouse)
- 5800/5900 (VNC)
- 10000 (Webmin)
- 10001 (GE update manager)
- Make sure that your CARESCAPE deployment is configured according to the network topology designed by GE. Specifically, it's important that:
- The MC and Rx networks be isolated
- That the IX network be set up outside of your broader hospital network and routed to it via firewall
Of course, cybersecurity is always changing and taking these steps alone will be insufficient to guarantee your security. Hospitals must remain vigilant and adopt a more proactive approach to defense. MDhex is only the most recent in a long and always growing line of vulnerability discoveries.
Keeping your hospital running safely, securely, and efficiently will not be easy, but it's hard to think of a job more worth the effort.