Patient monitoring systems are used in hospitals and clinics to display and alert on a variety of patient vital signs.   They can receive data from other medical devices, and are increasingly interconnected to centralized control systems, electronic medical records, and mobile apps that facilitate critical decision making on the go.

According to an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), several health care monitoring systems from GE are susceptible to a collection of six new vulnerabilities which have been collectively labeled MDhex. The products are widely used in hospitals and believed to number in the hundreds of thousands.

As the possibility of disruptive attacks against critical infrastructure becomes increasingly significant, this demonstrates a potentially life-threatening example of lax cyber security in IOT devices.  Five out of the six vulnerabilities, which were discovered by medical cyber security firm CyberMDX, are rated with CVSS scores of 10 (the sixth rated 8.5). Behind some of the vulnerabilities are frightful practices:

  • Use of operating systems and back-end software that is deprecated and vulnerable
  • Exposure of remote access tools including SSH (via Cygwin), VNC, and Kavoom
  • Hard-coded credentials that are shared ubiquitously across the entire line of products

Four months after disclosure to GE, a patch has yet to be released and the only current mitigation seems to be based around using a firewall to segment the devices.  

To see a list of general IOT security best practices for the enterprise, see this technicalciso article.