• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Life Sciences
  • Investments
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software

by Fred Pennic 05/15/2024 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software
The Vivid T9 ultrasound system

What You Should Know: 

– Security researchers at Nozomi Networks Labs have identified a total of 11 vulnerabilities affecting GE HealthCare’s Vivid family of ultrasound machines, the accompanying Common Service Desktop web application, and EchoPAC PC software. 

– These vulnerabilities could be exploited by attackers to disrupt critical medical procedures, compromise patient data privacy, and hinder accurate diagnoses.

Vulnerable Devices and Potential Impacts

  • Vivid T9 Ultrasound System: An attacker with physical access to the device could potentially deploy ransomware, effectively locking healthcare providers out of the system and delaying critical procedures.
  • Common Service Desktop Web Application: Abusing vulnerabilities in this application could grant attackers access to the entire ultrasound system.
  • EchoPAC PC Software: Attackers on the same network as a vulnerable EchoPAC installation could potentially steal or manipulate patient data stored on the software.

Technical Details and Attack Scenarios

The researchers detail various attack scenarios that exploit these vulnerabilities. One concerning scenario involves a two-phase attack on the Vivid T9 system:

  1. Gaining Local Access: Abusing a vulnerability in the Common Service Desktop application allows an attacker to bypass security restrictions and gain local access to the ultrasound machine.
  2. Executing Code and Deploying Ransomware: Another vulnerability in Common Service Desktop allows attackers to execute code with full administrative privileges. This could be used to deploy ransomware, disrupting critical medical procedures.

Ransomware is just one potential consequence. Stolen patient data could be misused or sold on the dark web, posing a significant risk to individuals’ privacy.

Risk Management and Recommendations

GE HealthCare has confirmed that their medical staff has conducted a safety risk assessment and concluded the associated safety risk is controlled. However, the researchers highlight the increasing frequency and complexity of ransomware attacks against healthcare providers.

Recommendations for healthcare providers include:

  • Patching Systems: Refer to the GE HealthCare Product Security Portal for official patches and mitigations.
  • Physical Security: Never leave ultrasound devices unattended, even for a short period.
  • Network Segmentation: Implement proper network segmentation to limit communication between devices and the broader network.
  • Firewall Rules: For workstations with EchoPAC installed, implement firewall rules to block unnecessary network traffic.
  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybersecurity

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

Digital Health Funding Q3 2025: Choppy Undercurrents Beneath a Steady Surface

Most-Read

Qualtrics Acquires Press Ganey Forsta for $6.75B to Create the Most Comprehensive AI Experience Platform

Qualtrics Acquires Press Ganey Forsta for $6.75B to Create the Most Comprehensive AI Experience Platform

Pfizer and Trump Administration Announce Landmark Agreement to Lower Drug Costs

Pfizer and Trump Administration Announce Landmark Agreement to Lower Drug Costs

KLAS Report: Epic's Native Ambient Speech Tool Reshapes Customer AI Strategies

KLAS Report: Epic’s Native Ambient Speech Tool Reshapes Customer AI Strategies

Epic Unveils MyChart Central and New APIs to Advance Interoperability at Open@Epic

Epic Outlines Roadmap for Next-Generation Data Sharing at Open@Epic

Epic Launches Comet: A New AI Platform to Predict Patient Health Journeys

Epic Launches Comet: A New AI Platform to Predict Patient Health Journeys

RevSpring to Acquire Kyruus Health, Creating a Unified Patient Experience

RevSpring to Acquire Kyruus Health, Creating a Unified Patient Experience

Oracle Confirms Layoffs in Kansas City

Oracle Confirms Layoffs in Kansas City

Philips Future Health Index 2025: AI and Digital Tech Can Help Solve Cardiac Care Crisis

Philips Future Health Index 2025: AI and Digital Tech Can Help Solve Cardiac Care Crisis

Optain Health Secures $26M to Advance AI-Powered Retinal Screening

Optain Health Secures $26M for AI-Powered Retinal Screening

Sutter Health and Epic Launch "Sutter Sync" to Optimize Remote Chronic Care

Sutter Health and Epic Launch “Sutter Sync” to Optimize Remote Chronic Care

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |