Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC).
Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security’s Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain clinical information central stations and telemetry servers.
Exploitable flaws in the ApexPro and CARESCAPE telemetry servers, in version 1 of the CARESCAPE Central Station, and in CIC Pro Clinical Information Center Central Station version 1 were discovered by CyberMDX.
The flawed devices are used mostly in health care facilities for displaying information regarding the physiologic parameters of a patient, such as heartbeat and blood pressure. They are also used to monitor the status of a patient from a central location in a facility, such as a nurse’s workstation.
The FDA said the vulnerabilities “may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices.”
ICS-CERT said that an attacker could use the flaws to obtain protected health information (PHI) data and to make the device unusable.
In a statement published yesterday, GEHC said: “In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network.”
GEHC has published instructions for risk mitigation along with instructions on where to find software updates or patches when they become available.
The FDA said yesterday that it was “not aware of any adverse events related to this vulnerability,” while also saying that such incidents may be extremely hard to detect.
“These vulnerabilities might allow an attack to happen undetected and without user interaction. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures,” said the FDA.
In a statement published yesterday, GE Healthcare said: “There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities.”
In July 2019, ICS-CERT issued a warning after vulnerabilities were detected in GE anesthesia and respiratory devices, GE Aestiva and GE Aespire (models 7100 and 7900).