Cybersecurity vulnerabilities have been identified in some GE Healthcare clinical information central stations and telemetry servers, the US Food and Drug Administration (FDA) warns in a safety communication issued yesterday.

 

The affected GE devices include certain versions of the ApexPro Telemetry Server and CARESCAPE Telemetry Server, CARESCAPE Central Station, and the Central Information Center. 

When connected to the mission critical (MC) and/or information exchange (IX) networks, these devices were found by a third-party security firm to be vulnerable to a cyberattack, GE Healthcare said.

Device	Software version
ApexPro Telemetry Server and CARESCAPE Telemetry Server	4.2 and earlier
CARESCAPE Central Station version 1	1.x
Central Information Center version 1	4.x and 5.x

These devices are used primarily in healthcare facilities to display patient information, such as physiologic status, and to monitor patient status from a central location in a facility, such as the nurse's station. 

The cybersecurity vulnerabilities identified could allow a hacker to remotely take control of the device to silence alarms, generate false alarms, or interfere with the function of patient monitors connected to these devices, the FDA says in a statement. 

The vulnerabilities are such that an attack could go undetected and without user interaction. 

To date, the FDA has not received any adverse event reports associated with these vulnerabilities. 

However, given the potential for patient harm, GE Healthcare has alerted healthcare professionals and facilities that have these devices about the issues identified, ways to mitigate the risk, and where to find software updates or patches to address the issues when they become available. Information about the patches will be posted on the GE Healthcare product security portal. 

In the meantime, the FDA says the risk posed by the vulnerabilities can be reduced by segregating the network connecting the patient monitors with the GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network, as described in the documentation for these devices provided by the company. 

The FDA also suggests using firewalls, virtual private networks, network monitors, or other technologies that minimize the risk of remote or local network attacks. 

"Medical devices connected to a communications network can offer numerous advantages over nonconnected devices, such as access to more convenient or more timely healthcare. However, when a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm," Suzanne Schwartz, MD, acting director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health, said in the statement. 

Since 2013, the FDA has issued nine safety communications related to cybersecurity vulnerabilities for medical devices.