The Security Ledger Podcast

The Security Ledger Podcast


Episode 174: GE’s Very Bad Day – Unpacking the MDHex Vulnerabilities

February 03, 2020

The U.S. Department of Homeland Security warned of critical vulnerabilities in a range of products by GE. We speak with Elad Luz, the head of research at CyberMDX, which discovered the holes.

Caring for sick patients in a hospital is as much about mastering technology these days as it is about mastering biology, physiology and chemistry. The modern hospital room is a forest of beeping, blinking computer hardware that does everything from measuring vital signs to administering medication or life saving treatments.

Report: Hacking Risk for Connected Vehicles Shows Significant Decline

All that hardware and software is prone to cyber security vulnerabilities, however, and cyber risk is a growing concern for providers. Witness the warning issued by the Department of Homeland Security on January 23 about a slew of vulnerabilities in products by healthcare giant GE.

Elad Luz is the head of research at CyberMDX.

DHS’s ICS CERT warned that a collection of six cybersecurity vulnerabilities discovered in a range of GE Healthcare devices could allow an attacker to make changes at the software level of the device. Those changes could render the device unusable, interfere with its proper functioning, expose Patient Health Information – or all of the above.

The vulnerabilities – collectively referred to as MDhex – were discovered by the firm CyberMDX, which was looking into the product’s use of a deprecated open source component known as “webmin” as well as what the company described as “problematic open port configurations” in GE CARESCAPE patient monitoring workstation. Five of the vulnerabilities were given CVSS (v3.1) values of 10, while the remaining vulnerability scored an 8.5 on the National Infrastructure Advisory Council’s (NIAC) 1-10 scale for assessing the severity of computer system vulnerabilities.

In this episode of the podcast, we invited Elad Luz, the head of research at CyberMDX into the studio to talk about the security holes. Luz and CyberMDX discovered the flaws, reported them to GE and then worked with the company and DHS on a coordinated disclosure of the holes. In this conversation, Elad and I talk about the flaws CyberMDX discovered and some of the challenges facing healthcare organizations as they try to secure medical hardware and software deployed in clinical settings.