Security researchers have disclosed almost a dozen security flaws impacting the GE HealthCare Vivid Ultrasound product family that could be exploited by malicious actors to tamper with patient data and even install ransomware under certain circumstances.<\/p>\n
“The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices,” operational technology (OT) security vendor Nozomi Networks said in a technical report.<\/p>\n
The security issues impact the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, which is exposed on the localhost interface of the device and allows users to perform administrative actions.<\/p>\n
They also affect another software program called EchoPAC that’s installed on a doctor’s Windows workstation to help them access multi-dimensional echo, vascular, and abdominal ultrasound images.<\/p>\n
That being said, successful exploitation of the flaws requires a threat actor to first gain access to the hospital environment and physically interact with the device, after which they can be exploited to achieve arbitrary code execution with administrative privileges.<\/p>\n
In a hypothetical attack scenario, a malicious actor could lock out the Vivid T9 systems by implanting a ransomware payload and even exfiltrate or tamper with patient data.<\/p>\n