FDA warns of cybersecurity gaps in GE Healthcare's patient monitors

The FDA has delivered a notice to healthcare providers and facilities warning them about cybersecurity vulnerabilities within certain clinical information stations made by GE Healthcare.

These devices and telemetry serves are mainly used to monitor and display vital signs and patient information, including their heart rate, blood pressure and temperature. According to the agency, exploits have been uncovered that could allow attackers to remotely take control of the device, giving them the ability to silence alarms or generate false ones.

“Medical devices connected to a communications network can offer numerous advantages over non-connected devices, such as access to more convenient or more timely health care,” said Suzanne Schwartz, the FDA’s acting director of the Office of Strategic Partnerships and Technology Innovation at the agency’s Center for Devices and Radiological Health.

RELATED: FDA planning to require cybersecurity checks in device submissions

“However, when a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm,” said Schwartz. The FDA said it has not received any related adverse event reports, including reports of harm or device malfunction.

According to the agency, GE Healthcare contacted its customers in November 2019 about the issue and provided instructions for mitigating any risks as well as where to find software updates once they are available. The affected systems include the ApexPro, Carescape and CIC Pro stations and servers.

The FDA also recommended housing the affected clinical information central stations and servers on a network separate from the rest of the hospital’s computers while taking measures to minimize the risk of remote or local network attacks.