FDA issues cybersecurity alert on GE Healthcare medical devices
The U.S. Food and Drug Administration has put out a safety alert concerning GE Healthcare Clinical Information Central Stations and Telemetry Servers, which it says could pose risks to the patients they're monitoring.
FDA issued the safety communication, which concerns cybersecurity vulnerabilities in the devices, following GE Healthcare's own issuance in November 2019 of a letter informing consumers of the security vulnerabilities in the listed devices, as well as directions to software updates and patches.
The specific security risk concerns a vulnerability within the Clinical Information Central Stations and Telemetry Servers that could allow a hacker to change settings and configurations inside the device, including the ability to silence alarms or otherwise interfere with the patient monitoring capabilities.
"These vulnerabilities might allow an attack to happen undetected and without user interaction," FDA noted in its communication. "Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures."
Telemetry servers and clinical information central stations are used mostly in health care facilities for displaying temperature, heartbeat, blood pressure, and other physiologic parameters of a patient.
The listed devices include the ApexPro Telemetry Server and CARESCAPE Telemetry Server running software version 4.2 or earlier, CARESCAPE Central Station (CSCS) version 1 running software 1.x, and CIC Pro Clinical Information Center Central Station version 1, running software versions 4.x and 5.x.
FDA recommends providers work with staff to determine which devices and patients may be affected and take appropriate steps to reduce risk, the agency said, noting that it was thus far unaware of any "adverse events" related to the software vulnerabilities.
GE Healthcare will be issuing a software patch to address the vulnerabilities and will notify affected customers to deploy them when the patches are ready.
In the meantime, the risk posed by the vulnerabilities can be reduced by segregating the network connecting the patient monitors with the GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network, as described in the GE Healthcare documentation for these devices.
FDA said to use firewalls, segregated networks, virtual private networks, network monitors, or other technologies that minimize the risk of remote or local network attacks.
The safety communication also noted the security risk could be reduced by segregating the devices in question from the rest of the hospital network, as well as through the use of firewalls, virtual private networks and network monitors.
According to research CyberMDX, the common element across these vulnerabilities--beyond the devices they affect and their shared point of discovery--is that they all present a direct path to the device's compromise, whether by way of illicit control, read, write, or upload capabilities.
Meanwhile, the CEO of third-party risk management specialist Censinet, Ed Gaudet, released a statement calling for a fundamental rethink in the way health providers approach risk assessment and third-party medical devices.
"Malicious actors have gotten very good at identifying and exposing weak links in healthcare security," Gaudet's statement noted. "Unfortunately, it's becoming increasingly common that the weakest link is a third-party medical device."