The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently discovered that some GE Medical Devices are vulnerable to malicious attackers.

On March 13, the ICS-CERT published information on how some of GE’s imaging machines are vulnerable to cyber attack.  Scott Erven, an independent researcher, submitted his findings showing that many of the imaging devices have default or hard-coded credentials.  GE performed a self-assessment and confirmed the findings.

What’s the big deal about default credentials?

Default credentials are a basic username and password that are implemented in some devices when they are manufactured.  This allows for companies who purchase these devices to do the initial setup and program installation. Often, the device will prompt the admin to change the credentials, but that is not always the case.

In this instance, it’s likely that the medical devices have default credentials so that technicians can service the product without someone creating an account for them.

What does this mean?

Often, default credentials are very basic and repeated across several devices. Many will use “admin” for both the username and password. Also, the credentials are oftentimes published online on the manufacturer’s support website in the User Guides or Setup Instructions.  If the default credentials are left on the device, anyone who wants to try and access the device can do so with a little research and very little effort. Depending on what the attacker wants to do, and how connected the devices are to the rest of the network, will determine the extent of the damages and breach.

An attacker could easily gain access to the effected system and cause unwanted changes.  This would be detrimental to patients, and the organization would be responsible.  If the attacker is trying to gain information, they may be able to pull cached protected health information (PHI) from the device or gather the PHI from the repository the device uses for storage.

To determine if one of your medical devices is affected, review the list of devices here.  To learn what else you can do to protect against these vulnerabilities, join HIPAAgps today.