The U.S. Food and Drug Administration has designated a Class II recall for specific GE HealthCare Centricity medical imaging products due to a vulnerability that could allow unauthorized access to system credentials, with potential impacts on data integrity and system functionality.
Recall Scope And Device Description
The recall involves the Centricity Universal Viewer, a system used by HIPAA-certified healthcare providers to view diagnostic images, including mammograms, along with data from multiple imaging sources. The Class II designation reflects the potential for temporary or medically reversible harm, while the likelihood of serious adverse outcomes remains low.
The affected software versions include:
- Versions 5.0 SP6 through UV 5.0 SP7.1
- Versions 6.0 through 6.0 SP10.4.1
- Versions 7.0 through 7.0 SP2.0.1
Vulnerability Details
The issue originates from exposure of user login credentials on local client workstations. This condition creates a pathway for an unauthorized individual to obtain credentials and potentially alter data or interfere with system availability.
Exploitation of the vulnerability requires physical access to the workstation where the credentials are exposed. This requirement limits the likelihood of misuse but does not remove the underlying risk.
Risk Characterization
The FDA classified the recall based on the possibility of temporary or medically reversible health effects. The chance of more severe health consequences is described as remote.
No incidents of the vulnerability being exploited have been identified. There have also been no reported cases of unauthorized access to patient information.
Identification and Remediation Efforts
GE HealthCare identified the vulnerability during routine internal testing. A permanent correction is in development to address the issue.
In the interim, GE HealthCare has provided guidance that allows organizations to continue operating affected systems while applying risk reduction measures.
Mitigation Requirements
The FDA recall notice specifies actions that users must take to reduce exposure risk during the remediation period. Appropriate security controls must be applied in accordance with the product documentation.
Network-based authentication using Active Directory or LDAP services must be configured for user management. Organizations that cannot implement network authentication must contact GE HealthCare to obtain temporary mitigation instructions.
These actions are intended to reduce the likelihood of unauthorized credential use and limit the potential for disruption or data alteration until a permanent fix is deployed.
