A recent investigation by the security firm CyberMDX has revealed that numerous medical imaging systems manufactured by General Electric utilize default passwords that are difficult to alter, potentially allowing unauthorized access to confidential patient scans.

According to the researchers, a malicious actor only requires network access to compromise a susceptible device. This could be achieved, for example, by deceiving a staff member into activating malware through an email. Once inside the network, the attacker could leverage these unchanged, pre-set passwords to acquire patient information stored on the device or interfere with its normal functionality.

CyberMDX identified that the affected equipment includes X-ray machines, computed tomography (CT) and magnetic resonance imaging (MRI) scanners, as well as ultrasound and mammography systems.

General Electric employs these hardcoded passwords for remote device maintenance. However, Elad Luz, research lead at CyberMDX, noted that many clients were unaware of the security risk posed by these vulnerable systems. He characterized the passwords as “hardcoded” because, while modification is possible, it necessitates a GE engineer to perform the password change directly on the customer’s premises.

This security issue has also triggered an advisory from the cybersecurity division of the Department of Homeland Security, CISA. Users of the impacted devices are advised to reach out to GE to initiate a password reset.

Hannah Huntly, a representative from GE Healthcare, stated: “We have no knowledge of any instances where this potential vulnerability has been exploited in a healthcare setting. A comprehensive risk evaluation has been completed, and we have determined that there is no threat to patient safety. Ensuring the safety, quality, and security of our devices remains our top concern.”

This discovery follows a similar finding last year by the New York-based healthcare cybersecurity company, which identified vulnerabilities in other GE products. The company subsequently acknowledged that these earlier issues could have potentially resulted in patient harm, despite the device initially being approved for use.

CyberMDX, which focuses on bolstering the security of medical devices and enhancing hospital network protection through its cyber intelligence platform, alongside its security research efforts, secured $20 million in funding earlier this year, shortly after the onset of the COVID-19 pandemic.