New FDA cybersecurity guidelines are out. Join the webinar to learn more.
New FDA cybersecurity guidelines are out. Join the webinar to learn more.

11 Vulnerabilities Discovered in Popular Ultra Sound Machine (Here’s why it’s a game changer)

11 Vulnerabilities Discovered in Popular Ultra Sound Machine

It was only a matter of time before a significant event occurred, such as General Electric’s recent discovery of 11 cybersecurity vulnerabilities in one of its Ultra Sound machines. 

As companies continue to increase the value placed on product security for their medical devices, it has proven to be an ongoing challenge for teams to maintain both new and legacy devices. 

Whether due to a simple oversight or challenges in SBOM and record keeping leading to vulnerabilities, organizations are continuously feeling the pressure to update their product security processes in a way that can pave the way for scalable automation. In the meantime, medical device manufacturers and their suppliers are on the edge of their seats, keeping a close eye on the FDA to see how they react and GE to see how they pave the path into this uncharted territory.  

Key Takeaways

  • The Discovery: Insight into the vulnerabilities found in GE Healthcare’s ultrasound systems and their potential exploitation risks.
  • Implications for Healthcare: A deep dive into how these vulnerabilities could affect patient safety, data security, and the overall trust in medical institutions.
  • GE Healthcare’s Response: An overview of the steps GE Healthcare is taking to address these security flaws and enhance the protection of their devices.
  • Strengthening Medical Device Security: Practical recommendations and strategies for both manufacturers and healthcare providers to improve the cybersecurity of medical devices.

Legacy FDA Product Security

Until the release of the FDA’s 2023 Premarket Authorization Guidelines, the agency lacked the legal authority to enforce cybersecurity standards. However, that fiscal year’s Omnibus, once passed into law, gave the FDA the legal authority to enforce product security standards across medical devices by approving cyber-secure and refusing to accept the ones that aren’t.

Achieving FDA Premarket Authorization From Big Picture to Small Details
Watch: Achieving FDA Premarket Authorization From Big Picture to Small Details

However, they didn’t immediately begin revoking market authorizations for products in the field. This could potentially create instability in the medical sector, as facilities would need to begin shutting down many of their critical devices. Instead, the same Refuse to Accept (RTA) announcement also committed to working with the ecosystem to implement the minimums for medical device cybersecurity. 

To be clear, companies were never let off the hook for their devices’ cybersecurity vulnerabilities. It is still on them to keep the product secure throughout the full product lifecycle, regardless of when it was first deployed. The vulnerabilities in the GE ultrasound machine show serious problems in its security setup. 

Researchers identified several vulnerabilities in GE’s ultrasound systems that malicious actors could potentially exploit. These vulnerabilities, classified under the identifier ICSMA-20-049-02 by the Cybersecurity and Infrastructure Security Agency (CISA), pose a serious risk to healthcare facilities using these ultrasound devices.

The specific vulnerabilities involve using hard-coded credentials, a known security weakness detailed in the Common Weakness Enumeration (CWE-798). This flaw allows attackers to gain unauthorized access to ultrasound devices, potentially compromising patient data and the integrity of diagnostic procedures.

Report- Safety First: Breaking Down the FDAs 2023 Premarket Cybersecurity Regulations

Implications for Healthcare

The implications of these vulnerabilities are profound. Ultrasound systems are pivotal in diagnosing and monitoring a wide range of medical conditions, from pregnancy to cardiac issues. Unauthorized access to these systems could lead to manipulation of diagnostic results, breaches of patient confidentiality, and even disruption of critical healthcare services.

The potential consequences highlight the necessity for robust cybersecurity measures in the medical field. The exploitation of these vulnerabilities could undermine the trust patients place in medical institutions and jeopardize the quality of care provided.

GE Healthcare's Response

In response to these findings, GE Healthcare has taken steps to mitigate the risks associated with these vulnerabilities. The company is working closely with cybersecurity experts and healthcare providers to develop patches and updates addressing the identified flaws. GE has also emphasized the importance of regular system updates and adherence to cybersecurity best practices to protect against potential threats.

Additionally, GE Healthcare is advising medical facilities to implement stringent access controls and network segmentation to reduce the risk of unauthorized access. These measures, combined with the forthcoming software updates, aim to bolster the security of ultrasound systems and safeguard patient information.

How the Product Security Platform Helps Streamline FDA PMA Compliance

Cybellum’s Product Security Platform and Professional Services offer comprehensive solutions that align with the FDA’s cybersecurity guidelines and can help address the same vulnerabilities identified in GE’s device:

Automated Risk Management: The platform supports continuous risk management activities, automating identifying and mitigating cybersecurity risks across the product lifecycle. For example, The Product Security Platform scans for new vulnerabilities on a pre-scheduled timeline or as part of a workflow to ensure that information remains up to date and devices remain secure.

Threat Modeling and Assessment: Cybellum’s partnership with itemis allows product security teams to build and integrate detailed threat models, enriching them with contextual data to improve risk assessments. 

Mastering TARA and Risk
Management with
itemis and Cybellum
Watch: Mastering TARA and Risk Management with itemis and Cybellum

SBOM Management: The platform enables the generation and management of SBOMs, ensuring up-to-date and accurate documentation of all software components used within medical devices. This allows for real-time tracking of software components and their associated vulnerabilities, ensuring that all parts of the device are secure.

Vulnerability Management: Automated vulnerability assessments and exploitability analyses help proactively identify and address potential security issues. For instance, Cybellum’s platform can automatically identify outdated software components and suggest updates or patches, reducing the risk of exploitation.

Secure Development Practices: The platform enforces secure coding standards and cryptographic requirements, ensuring compliance with FDA guidelines. This ensures that security is a primary focus from the initial development phase, reducing the likelihood of vulnerabilities being introduced into the system.

Post-Market Surveillance: Cybellum provides tools for ongoing monitoring and incident response, ensuring that devices remain secure throughout their operational lifecycle. 

Complying with FDA PMA Cybersecurity Guidelines
Data Sheet- Complying with FDA PMA Cybersecurity Guidelines

Product Security at Scale

The discovery of 11 cybersecurity vulnerabilities in GE’s ultrasound machine underscores the critical need for robust cybersecurity measures in medical devices. These vulnerabilities highlight significant compliance gaps with the FDA’s 2023 PMA guidelines. However, by leveraging a product security strategy that aims to automate and streamline compliance activities, medical device manufacturers can effectively address these issues, ensuring that their devices are secure, compliant, and resilient against evolving cyber threats.

Ready to scale your compliance activities? Book a demo.