The Food and Drug Administration has issued a safety communication informing healthcare providers, facilities, and patients about cybersecurity vulnerabilities associated with certain GE Healthcare Clinical Information Central Stations and Telemetry Servers.
The GE Healthcare servers are used in facilities for displaying patient information and status from a central location, such as a nurse’s bay. Specific versions of the devices that have the security vulnerabilities include the ApexPro Telemetry Server and CARESCAPE Telemetry Server (software version 4.2 and earlier), CARESCAPE Central Station (CSCS) version 1 (software version 1.x), and CIC Pro Clinical Information Center Central Station version 1 (software version 4.x, 5.x). The vulnerabilities in the servers were identified by a third party security firm; to date, the Agency has not received any adverse event reports related to patient harm or device malfunction.
According to the FDA, it is possible that an attack could occur undetected and without user interaction; it may also remain invisible to existing security measures. The vulnerabilities could allow an attacker to take control of the device to silence alarms, generate false alarms or interfere with the function of patient monitors connected to these devices.
GE Healthcare has contacted providers and facilities that have these devices and provided instructions for mitigating risk and information on where to find the software updates when they become available.
The FDA is advising healthcare facilities to segregate the network connecting the patient monitors with the affected devices from the rest of the hospital network. In addition, firewalls, segregated networks, virtual private networks, network monitors, and other technologies should be employed to minimize the risk of attacks.
This is the ninth safety communication issued by the FDA concerning medical device cybersecurity vulnerabilities since 2013.
For more information visit FDA.gov.