GE HealthCare issues guidance for mitigating 11 security bugs in ultrasound devices

GE Healthcare recently published mitigation guidance for healthcare facilities that use a popular line of ultrasound devices, following the discovery of 11 vulnerabilities. 

The flaws, publicly reported this week by researchers at Nozomi Networks, affect the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application as well as the EchoPAC software. 

Nozomi Networks said the vulnerabilities could allow malware installation on an ultrasound machine or unauthorized access to the patient data stored on the devices. A GE Healthcare spokesperson told Recorded Future News that the company has not received any reports that the bugs have been exploited. 

The Vivid T9 is built for cardiac imaging, but it can also be used as a general-purpose ultrasound system for other parts of the body. Common Service Desktop is an application that facilitates administrative tasks like password changes, logs and more. EchoPAC is a tool doctors use to look at ultrasound images. 

Seven of the vulnerabilities carry severity scores over 7. Nozomi Networks experts said they worked with GE Healthcare to examine the issues. 

The devices and software are not being recalled, the GE Healthcare spokesperson said. GE Healthcare published two advisories about the issues on Tuesday. 

“We recently disclosed potential cybersecurity vulnerabilities for several ultrasound systems that, if acted upon, could render a system unusable or disclose limited patient information,” a spokesperson said. “We conducted a thorough investigation of the issue and determined existing mitigations and controls are in place and effective.”

The medical device industry has faced increasing pressure to address software and hardware vulnerabilities. Health-ISAC, an information sharing organization for the U.S. healthcare sector, said in a 2023 report that researchers had found nearly 1,000 exploitable bugs in medical products.

Physical access needed

Nozomi Networks said that exploitation of the vulnerabilities would require physical interaction with the device because an attacker needs to operate with the embedded keyboard and trackpad.

The security company discovered that the Vivid T9 has a fully-fledged desktop PC running a version of Microsoft Windows 10 customized by GE HealthCare embedded inside of it. 

The 11 vulnerabilities found in Vivid T9, Common Service Desktop and EchoPAC Software would allow a hacker to gain administrative privileges.

“In a similar fashion to previous research conducted by Nozomi Networks Labs, we successfully verified the ability to lock the Vivid T9 by means of a proof-of-concept ransomware,” the researchers said. 

“After physically accessing the device and removing all Windows security protections (which was possible due to the full privileges obtained), we were able to disrupt the device logic while simultaneously showing a picture on the screen asking for the payment of a ransom. A similar payload may also be executed against a doctor’s workstation running Echopac.”

The same access could be used to both access and manipulate patient data on the device. 

A GE HealthCare spokesperson said data stored on ultrasound devices is often limited and that it is not intended as a permanent record-keeping system. In most clinical settings, ultrasound systems are located in a secure environment where they cannot be accessed by outsiders, the spokesperson said.