Yesterday the FDA sent out a safety communication to alert healthcare providers and facility staff about several cybersecurity vulnerabilities related to certain GE Healthcare Clinical Information Central Stations and Telemetry Services. The devices are used to display physiologic parameters (i.e., blood pressure, heartbeat) and to monitor patient status from a facility’s central location point, such as a nurse workstation.
Identified by a security firm, the vulnerabilities involve the potential for an attacker to remotely control these devices, silence alarms, generate false alarms, and interfere with alarms of the monitors connected to the devices. In addition, the attacks can go undetected and without user interaction. “Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures,” according to the FDA safety communication.
The agency is working with GE Healthcare as the company develops software patches to correct the vulnerabilities. Information about the patches will be posted on GE Healthcare’s Product Security Portal (a login is required for access).