• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Life Sciences
  • Investments
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software

by Fred Pennic 05/15/2024 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software
The Vivid T9 ultrasound system

What You Should Know: 

– Security researchers at Nozomi Networks Labs have identified a total of 11 vulnerabilities affecting GE HealthCare’s Vivid family of ultrasound machines, the accompanying Common Service Desktop web application, and EchoPAC PC software. 

– These vulnerabilities could be exploited by attackers to disrupt critical medical procedures, compromise patient data privacy, and hinder accurate diagnoses.

Vulnerable Devices and Potential Impacts

  • Vivid T9 Ultrasound System: An attacker with physical access to the device could potentially deploy ransomware, effectively locking healthcare providers out of the system and delaying critical procedures.
  • Common Service Desktop Web Application: Abusing vulnerabilities in this application could grant attackers access to the entire ultrasound system.
  • EchoPAC PC Software: Attackers on the same network as a vulnerable EchoPAC installation could potentially steal or manipulate patient data stored on the software.

Technical Details and Attack Scenarios

The researchers detail various attack scenarios that exploit these vulnerabilities. One concerning scenario involves a two-phase attack on the Vivid T9 system:

  1. Gaining Local Access: Abusing a vulnerability in the Common Service Desktop application allows an attacker to bypass security restrictions and gain local access to the ultrasound machine.
  2. Executing Code and Deploying Ransomware: Another vulnerability in Common Service Desktop allows attackers to execute code with full administrative privileges. This could be used to deploy ransomware, disrupting critical medical procedures.

Ransomware is just one potential consequence. Stolen patient data could be misused or sold on the dark web, posing a significant risk to individuals’ privacy.

Risk Management and Recommendations

GE HealthCare has confirmed that their medical staff has conducted a safety risk assessment and concluded the associated safety risk is controlled. However, the researchers highlight the increasing frequency and complexity of ransomware attacks against healthcare providers.

Recommendations for healthcare providers include:

  • Patching Systems: Refer to the GE HealthCare Product Security Portal for official patches and mitigations.
  • Physical Security: Never leave ultrasound devices unattended, even for a short period.
  • Network Segmentation: Implement proper network segmentation to limit communication between devices and the broader network.
  • Firewall Rules: For workstations with EchoPAC installed, implement firewall rules to block unnecessary network traffic.
  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybersecurity

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Interview

Reach7 Diabetes Studios Founder Chun Yong on Reimagining Chronic Care with a Concierge Medical Model

Most-Read

Evernorth Health Services Invests $3.5B in Shields Health Solutions

Evernorth Health Services Invests $3.5B in Shields Health Solutions

KLAS Report: Oracle Health Faces Customer Losses and Declining Satisfaction

KLAS Report: Oracle Health Faces Customer Losses and Declining Satisfaction

Tempus AI Acquires Digital Pathology Leader Paige for $81.25M

M&A:Tempus AI Acquires Digital Pathology Leader Paige for $81.25M

Mira Launches Ultra4™, the First At-Home Hormone Monitor with Lab-Quality Insights

Femtech: Mira Launches Ultra4™, the First At-Home Hormone Monitor with Lab-Quality Insights

Preparing for the ‘Big Beautiful Bill’: How Digitization Can Streamline Medicaid Eligibility & Social Care Delivery

Preparing for the ‘Big Beautiful Bill’: How Digitization Can Streamline Medicaid Eligibility & Social Care Delivery

How Healthcare CIOs Can Solve the Unstructured Data Crisis and Reduce Storage Costs

How Healthcare CIOs Can Solve the Unstructured Data Crisis and Reduce Storage Costs

Healthcare C-Suite Acknowledges AI Potential but Lacks Trust

Sage Growth Partners Report: Healthcare C-Suite Acknowledges AI Potential but Lacks Trust

EVERSANA and Waltz Health Merge to Redefine Pharmaceutical Commercialization

EVERSANA and Waltz Health Merge to Redefine Pharmaceutical Commercialization

Advancing Diabetes Care: Combating Burnout and Harnessing Technology

Advancing Diabetes Care: Combating Burnout and Harnessing Technology

White House Event Unveils CMS Health Tech Ecosystem Initiative

White House Event Unveils CMS Health Tech Ecosystem Initiative

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |