The U.S. Food and Drug Administration (FDA) is issuing a safety communication to healthcare providers, facilities and patients about cybersecurity vulnerabilities identified for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers. These devices are primarily used in healthcare facilities for displaying patient information, such as the physiologic status (i.e., temperature, heartbeat, blood pressure, etc.) of a patient, and monitoring patient status from a central location in a facility, such as a nurse’s bay.
The cybersecurity vulnerabilities identified could allow an attacker to remotely take control of the device to silence alarms, generate false alarms or interfere with the function of patient monitors connected to these devices. For example, an attacker could potentially silence an alarm that is intended to communicate vital information about a patient to healthcare staff, such as a patient’s cardiac status. These cybersecurity vulnerabilities were identified by a third-party security firm. To date, the agency has not received any adverse event reports, including reports of patient harm or device malfunction, associated with these vulnerabilities.
“Medical devices connected to a communications network can offer numerous advantages over non-connected devices, such as access to more convenient or more timely health care. However, when a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm,” said Suzanne Schwartz, M.D., MBA, acting director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “Today’s alert regarding cybersecurity vulnerabilities in certain GE Healthcare stations and servers is a key example of the FDA’s commitment to work with all stakeholders to address cybersecurity issues that affect medical devices in order to keep patients safe.”
The vulnerabilities of certain GE Healthcare Clinical Information Central Stations and Telemetry Servers are such that an attack could occur undetected and without user interaction. Because an attack may be interpreted by the affected device as normal or routine network communications, it may remain invisible to existing security measures. Given the potential for patient harm, GE Healthcare has contacted healthcare providers and facilities that have these devices and has provided information on the vulnerability in addition to instructions for mitigating risk and where to find the software updates or patches when they become available. Recommendations include advising healthcare facilities to segregate the network connecting the patient monitors with the affected GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network, and using firewalls, segregated networks, virtual private networks, network monitors or other technologies that minimize the risk of remote or local network attacks.
The FDA will continue its work with manufacturers and healthcare delivery organizations—as well as security researchers and other government agencies—to help address cybersecurity issues throughout a device's total product lifecycle.