Back to Intelligence

Defending Against the GE HealthCare Centricity Recall: Detection & Remediation Guide

SA
Security Arsenal Team
March 20, 2026
4 min read

Introduction

The U.S. Food and Drug Administration (FDA) recently issued a Class 2 recall for specific versions of GE HealthCare’s Centricity Universal Viewer. For healthcare providers and security professionals, this is a critical reminder of the intersection between patient safety and cybersecurity.

Medical imaging devices often operate on legacy infrastructure and are frequently overlooked in standard vulnerability management cycles. However, vulnerabilities in these systems can serve as entry points for ransomware or data exfiltration, directly impacting patient care and HIPAA compliance. Defenders must act quickly to identify vulnerable instances and apply necessary controls to protect the clinical network.

Technical Analysis

The recall addresses cybersecurity vulnerabilities in the GE HealthCare Centricity Universal Viewer, a software solution widely used to view and analyze medical images (X-rays, CT scans, MRIs, etc.).

  • Affected Products: GE HealthCare Centricity Universal Viewer versions 6.0 and prior.
  • Vulnerability Details: The specific vulnerabilities (which include issues related to insecure permissions and potential for code execution) could allow an attacker to gain unauthorized access to the system. Successful exploitation could lead to the disclosure of Protected Health Information (PHI) or allow an attacker to execute arbitrary code, potentially disrupting the availability of the imaging system.
  • Severity: While categorized as a Class 2 recall by the FDA—indicating a situation where the use of the product may cause temporary or medically reversible adverse health consequences—the cybersecurity risk is significant. From a security operations perspective, this should be treated with high priority due to the criticality of imaging systems in clinical workflows.
  • Fix: GE HealthCare has released software updates (patches) that address these vulnerabilities. Organizations running affected versions must upgrade to the latest patched version provided by the vendor.

Defensive Monitoring

To determine if your organization is affected, security teams must actively scan for the presence of the software and verify versioning. Below are scripts and queries to aid in detection and remediation verification.

PowerShell Script for Software Inventory

Run this script on endpoints or use it in a configuration management tool (like SCCM or Intune) to detect if the vulnerable GE HealthCare software is installed and identify its version.

Script / Code
# Check for GE HealthCare Centricity Universal Viewer
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
                  "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" |
    Where-Object { $_.DisplayName -like "*Centricity*Universal*Viewer*" } |
    Select-Object PSComputerName, DisplayName, DisplayVersion, InstallDate, Publisher | 
    Format-Table -AutoSize

KQL Query for Microsoft Sentinel / Defender

If you are utilizing Microsoft Defender for Endpoint or Sentinel, use the following KQL query to hunt for devices running the vulnerable executable and identify their version numbers.

Script / Code
DeviceFileVersions
| where FileName has "UniversalViewer.exe" 
   or FolderPath contains "Centricity"
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceName, DeviceId, FileName, FileVersion, ProductVersion, FolderPath, Timestamp
| order by DeviceName asc

Remediation

Healthcare IT and Security teams should take the following immediate steps to mitigate the risk associated with this recall:

  1. Inventory Verification: Use the scripts above to identify all instances of Centricity Universal Viewer within your environment. Ensure that shadow IT or unauthorized workstations connected to medical modalities are included in this scan.

  2. Patch Management:

    • Contact GE HealthCare support or access the GE HealthCare support portal to obtain the latest software updates.
    • Schedule immediate maintenance windows to apply the patch to all affected systems.
    • Note: As this is medical software, ensure patches are tested in a non-production environment first to verify compatibility with PACS (Picture Archiving and Communication System) integrations.

  3. Network Segmentation: If immediate patching is not possible due to clinical availability requirements, ensure affected devices are placed behind strict network firewalls. They should not have direct internet access, and access should be restricted strictly to necessary medical workstations.

  4. Access Controls: Review and enforce the principle of least privilege. Ensure that user accounts associated with the Universal Viewer do not have administrative rights on the underlying operating system.

  5. Audit & Monitor: Increase monitoring (EDR/SIEM) on these specific devices for anomalous process execution or outbound network connections until patches are fully deployed.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwarege-healthcaremedical-device-securityfda-recallvulnerability-managementhealthcare-it

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action