09 December 2020

Someday Companies Will Take Security Seriously

But today is not that day. GE puts default password in radiology devices, leaving healthcare networks exposed | Ars Technica

The devices—used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography—use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare.

The vulnerability has a severity rating of 9.8 out of 10. It is easy to exploit, at least as a way into a hospital's network. Though I am convinced that someday a medical device will be used to assassinate someone in the hospital, if it hasn't already happened.

If this design was in place 2010, I might be inclined to forgive it. But in 2020 the people responsible for this should be ashamed to call themselves engineers or programmers. Of course I'm sure part of the problem is that management would never approve funds. "You need how much money? Everything is fine just as it is!" And that management is now in CYA mode. In a "statement" designed to alleviate fears, GE Healthcare said the following.

We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation.

"We are not aware" is not a guarantee that this vulnerability has never been exploited anywhere. And what does "in a clinical situation" mean anyway? Does that mean it has been exploited, just not as a way to mess with the functioning of the machines, or something else? I hate weasel-wording PR releases. You have to read them VERY carefully.

They are sure there is no threat to patient safety. But they are working to close the vulnerability anyway, because aside from the incredibly bad PR, it does allow bad actors into a hospital's network, and as we have seen in the past, ransomware attacks on healthcare can have adverse effects on healthcare delivery. (You have to scroll down at that link.) Four deaths were credited to a ransomware attack detailed in that link.

Hat tip to a friend who sent me a link to the article at Ars Technica.

No comments:

Post a Comment

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.