Skip to main content

Case Study: GE Centricity Viewer Credential Flaw (2025)

Why This Case Matters

This case shows that connected-product security is often ecosystem security. A viewer, workstation, PACS, radiology system, service account, and customer network can all become part of the same trust boundary when credentials can be discovered or reused.

What Happened

In 2025, FDA recall records and international safety notices described a potential security vulnerability affecting GE HealthCare Centricity Universal Viewer, PACS-IW, Radiology RA600, and Cardiology CA1000 systems. The FDA recall record states that service login credentials could be identified, potentially allowing a malicious actor with those credentials to access the system and manipulate patient data.

Published recall and safety-notice materials described customer actions including securing networks, using Active Directory or LDAP where possible, following mitigation guidance, and applying corrections or password-change procedures provided by GE HealthCare.

What Failed

  • Service credentials were discoverable or exposed in a way that could support unauthorized access.
  • Privileged access paths in a networked imaging environment were not sufficiently protected.
  • Customer mitigations depended on secure local network controls and account-management configuration.
  • Credential change, rotation, or correction guidance had to be distributed after deployment.

Secure-by-Design Lessons

LessonWhat product teams should do
Service credentials are product assetsInventory service accounts, privileged credentials, and machine-to-machine trust paths.
Default or discoverable credentials should not survive deploymentRequire unique credentials, customer-controlled identity integration, or certificate-based authentication.
Ecosystem boundaries need threat modelsInclude workstations, viewers, servers, remote access, customer directories, and service workflows.
Credential rotation must be operableProvide tested procedures to change, rotate, revoke, and audit credentials.
Customer mitigation is not a substitute for design controlRetain evidence that default configurations and service paths were reviewed before release.

Evidence That Should Exist

EvidenceWhy it matters
Credential inventoryShows every service, machine, administrator, support, and integration credential.
Access-control designShows roles, privileges, authentication flows, and customer identity integration.
Threat model for the imaging ecosystemShows trust boundaries across viewers, PACS, workstations, services, and remote access.
Credential rotation test evidenceShows credentials can be changed without breaking clinical workflow.
Secure configuration baselineShows default deployment avoids exposed or shared credentials.
Audit logging evidenceShows privileged access and credential changes can be monitored.
Customer correction and acknowledgement recordsShows customers received, understood, and applied mitigation or correction instructions.

What Product Teams Should Check

  • Do we have a complete inventory of service, support, and machine credentials?
  • Are any credentials discoverable from local files, clients, installers, logs, manuals, or workstations?
  • Can customers rotate or revoke service credentials safely?
  • Can the product integrate with customer identity systems such as LDAP, Active Directory, or certificate-based authentication?
  • Are privileged actions logged and reviewable?
  • If a credential issue is found, can we identify affected versions and send clear mitigation instructions?

Sources