The U.S. Food and Drug Administration (FDA) has issued a device safety alert for GE Healthcare medical devices.  The safety alert relates to GE Healthcare Clinical Information Central Stations and Telemetry Servers.  The FDA says that cybersecurity threats could risk the health of the patients that these medical devices monitor and support.

FDA Warns about Security of GE Healthcare Medical Devices

In their report, the FDA warns that there may be cybersecurity vulnerabilities in some of GE Healthcare’s medical devices.  In November 2019, GE Healthcare issued their own letter warning consumers about safety issues with certain devices.  At the time, software updates and patches were rolled out.

Now, however, there is a greater focus on specific systems that may be vulnerable to hackers.  If a hacker gets into the device, he or she could change settings or configurations, silence alarms or interfere with monitoring processes.  The FDA notes that the vulnerabilities could,

“allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices.”

The devices most at risk are those using certain software and servers.  The clinical information central stations and telemetry servers most at risk include:

• ApexPro Telemetry Server and CARESCAPE Telemetry Server running software version 4.2 or earlier
• CARESCAPE Central Station (CSCS) version 1 running software 1.x
• CIC Pro Clinical Information Center Central Station version 1, running software versions 4.x and 5.x

These devices are used to monitor and display heartbeat, blood pressure, temperature and other parameters.

Cybersecurity Attacks Put Patients at Risk

Medical devices that monitor patients and transmit information to healthcare providers are an important part of the healthcare process.  When these devices become vulnerable to cybersecurity attacks, it puts patients at risk.  Vulnerabilities in GE Healthcare devices could allow illicit control of the devices, including writing, reading or uploading capabilities.

Perhaps the scariest part of the cybersecurity vulnerabilities is the fact that the systems and administrators may not detect an attack.  According to the FDA,

“These vulnerabilities might allow an attack to happen undetected and without user interaction.   Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures.”

Preventing Cybersecurity Attacks in Medical Devices

GE Healthcare is planning to issue software patches to address the cybersecurity vulnerabilities.  Customers who have the vulnerable medical devices will receive notice and instructions.  In the meantime, GE Healthcare recommends the following:

• Segregate the network that connects patients to monitors.
• Use firewalls and virtual private networks to block attacks.
• Use network monitors to monitor incoming and outgoing connections and communications over the network.

So far, the FDA is not aware of any attacks or adverse events related to the GE Healthcare devices at risk.  However, the agency urges healthcare facilities to be aware of the risk and make efforts to protect their network and patients.

 

Sources:

• https://www.infosecurity-magazine.com/news/us-warnings-over-flawed-medical/
• https://www.healthcareitnews.com/news/fda-issues-cybersecurity-alert-ge-healthcare-medical-devices
• https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-ge-healthcare-clinical-information-central-stations-and#vulnerabilities