FDA Notifies GE of Cybersecurity Concern in Medical Devices

02/19/2020

FDA Notifies GE of Cybersecurity Concern in Medical Devices

Hackers and cyber criminals will try to infiltrate your network by any means available, especially due to the proliferation of the Internet of Things and the increasing stock of connected devices.

Those devices being connected to the network increasingly include medical devices like pacemakers and other vital monitoring equipment. With connectivity, however, comes vulnerability.

Those vulnerabilities are prompting government agencies to take action and warn medical device companies and users about potential cyber security issues.

The most recent example is GE Healthcare, which was the subject of a U.S. Food and Drug Administration alert about the company's Clinical Information Central Stations and Telemetry Servers.

According to the FDA, patients being monitored could be at risk (www.fda.gov).  

  • FDA issued the safety communication, which concerns cyber-security vulnerabilities in the devices, following GE Healthcare's own issuance in November 2019 of a letter informing consumers of the security vulnerabilities in the listed devices, as well as directions to software updates and patches. 
  • The specific security risk concerns a vulnerability within the Clinical Information Central Stations and Telemetry Servers that could allow a hacker to change settings and configurations inside the device, including the ability to silence alarms or otherwise interfere with the patient monitoring capabilities
  • "These vulnerabilities might allow an attack to happen undetected and without user interaction," FDA noted in its communication. "Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures."Telemetry servers and clinical information central stations are used mostly in health care facilities for displaying temperature, heartbeat, blood pressure, and other physiologic parameters of a patient.
  • The listed devices include the ApexPro Telemetry Server and CARESCAPE Telemetry Server running software version 4.2 or earlier, CARESCAPE Central Station (CSCS) version 1 running software 1.x, and CIC Pro Clinical Information Center Central Station version 1, running software versions 4.x and 5.x.

Despite the software vulnerabilities, the FDA said it was unaware of any hacks. GE said it would issue software patches to address the concerns.

This illustrates the complex environment companies walk into as they adopt new technologies on the IoT. When you add these new capabilities, make sure your network can't be compromised.  

Need more information or an assessment of your environment?  Contact our experts today?

www.zi-medical.com