• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Life Sciences
  • Investments
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software

by Fred Pennic 05/15/2024 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Researchers Uncover Critical Vulnerabilities in GE HealthCare Ultrasound Systems and EchoPAC Software
The Vivid T9 ultrasound system

What You Should Know: 

– Security researchers at Nozomi Networks Labs have identified a total of 11 vulnerabilities affecting GE HealthCare’s Vivid family of ultrasound machines, the accompanying Common Service Desktop web application, and EchoPAC PC software. 

– These vulnerabilities could be exploited by attackers to disrupt critical medical procedures, compromise patient data privacy, and hinder accurate diagnoses.

Vulnerable Devices and Potential Impacts

  • Vivid T9 Ultrasound System: An attacker with physical access to the device could potentially deploy ransomware, effectively locking healthcare providers out of the system and delaying critical procedures.
  • Common Service Desktop Web Application: Abusing vulnerabilities in this application could grant attackers access to the entire ultrasound system.
  • EchoPAC PC Software: Attackers on the same network as a vulnerable EchoPAC installation could potentially steal or manipulate patient data stored on the software.

Technical Details and Attack Scenarios

The researchers detail various attack scenarios that exploit these vulnerabilities. One concerning scenario involves a two-phase attack on the Vivid T9 system:

  1. Gaining Local Access: Abusing a vulnerability in the Common Service Desktop application allows an attacker to bypass security restrictions and gain local access to the ultrasound machine.
  2. Executing Code and Deploying Ransomware: Another vulnerability in Common Service Desktop allows attackers to execute code with full administrative privileges. This could be used to deploy ransomware, disrupting critical medical procedures.

Ransomware is just one potential consequence. Stolen patient data could be misused or sold on the dark web, posing a significant risk to individuals’ privacy.

Risk Management and Recommendations

GE HealthCare has confirmed that their medical staff has conducted a safety risk assessment and concluded the associated safety risk is controlled. However, the researchers highlight the increasing frequency and complexity of ransomware attacks against healthcare providers.

Recommendations for healthcare providers include:

  • Patching Systems: Refer to the GE HealthCare Product Security Portal for official patches and mitigations.
  • Physical Security: Never leave ultrasound devices unattended, even for a short period.
  • Network Segmentation: Implement proper network segmentation to limit communication between devices and the broader network.
  • Firewall Rules: For workstations with EchoPAC installed, implement firewall rules to block unnecessary network traffic.
  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybersecurity

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

HLTH 2025 Coverage

HLTH 2025 Day 1 Summary & Insights: AMA Launches AI Governance Center, Google Cloud, Microsoft, ChatGPT for Medicine

Featured Interview

ConcertAI VP Shares View on AI Hallucinations and the Fabricated Data Crisis in Scientific Publishing

Most-Read

Cleveland Clinic and Khosla Ventures Form Strategic Alliance to Accelerate Healthcare Innovation

Cleveland Clinic and Khosla Ventures Form Strategic Alliance to Accelerate Healthcare Innovation

Northwell Health Selects to Deploy Abridge’s Ambient AI Across 28 Hospitals

Northwell Health to Deploy Abridge’s Ambient AI Across 28 Hospitals

Omada Health Launches "Nutritional Intelligence" with AI Agent OmadaSpark

Omada Health Launches AI-Powered Meal Map to Transform Nutrition for Cardiometabolic Patients

From Overwhelmed to Optimized: How AI Agents Address Staffing Challenges and Burnout in Healthcare

From Overwhelmed to Optimized: How AI Agents Address Staffing Challenges and Burnout in Healthcare

Qualtrics Acquires Press Ganey Forsta for $6.75B to Create the Most Comprehensive AI Experience Platform

Qualtrics Acquires Press Ganey Forsta for $6.75B to Create the Most Comprehensive AI Experience Platform

Pfizer and Trump Administration Announce Landmark Agreement to Lower Drug Costs

Pfizer and Trump Administration Announce Landmark Agreement to Lower Drug Costs

KLAS Report: Epic's Native Ambient Speech Tool Reshapes Customer AI Strategies

KLAS Report: Epic’s Native Ambient Speech Tool Reshapes Customer AI Strategies

Epic Unveils MyChart Central and New APIs to Advance Interoperability at Open@Epic

Epic Outlines Roadmap for Next-Generation Data Sharing at Open@Epic

Epic Launches Comet: A New AI Platform to Predict Patient Health Journeys

Epic Launches Comet: A New AI Platform to Predict Patient Health Journeys

RevSpring to Acquire Kyruus Health, Creating a Unified Patient Experience

RevSpring to Acquire Kyruus Health, Creating a Unified Patient Experience

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Op-Ed Submission Guidelines
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |