FDA issues cyber warning about devices displaying patient info
The Food and Drug Administration on Thursday warned providers and patients about cybersecurity vulnerabilities for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers.
The FDA’s safety communication notes that “these devices are used mostly in healthcare facilities for displaying information, such as the physiologic parameters of a patient (such as temperature, heartbeat, blood pressure), and monitoring patient status from a central location in a facility, such as a nurse’s workstation.”
Although the FDA said it is not aware of any confirmed adverse events related to the vulnerabilities, the agency warned that risks to patients may be introduced while they are being monitored.
Specifically, the cybersecurity vulnerabilities “may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices,” according to the safety communication.
“These vulnerabilities might allow an attack to happen undetected and without user interaction,” added the FDA. “Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures.”
The FDA’s safety communication provides recommendations on actions that can be taken to mitigate risks, including:
- Advising healthcare facilities to segregate the network connecting the patient monitors with the affected GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network
- Using firewalls, segregated networks, virtual private networks, network monitors or other technologies that minimize the risk of remote or local network attacks.
“Given the potential for patient harm, GE Healthcare has contacted healthcare providers and facilities that have these devices and has provided information on the vulnerability in addition to instructions for mitigating risk and where to find the software updates or patches when they become available,” according to the FDA, which says the agency will continue to work with the company as it develops software patches to correct the problem.