FDA has issued a notice about cybersecurity vulnerabilities affecting GE Healthcare Clinical Information Central Stations and Telemetry Servers.
The vulnerability scored 10 out of 10 on a risk scale outlined in a Department of Homeland Security notice flagging the issue. In a statement Thursday, FDA said it could enable attackers to remotely silence alarms or otherwise interfere with the monitoring of patients.
- GE is advising users to properly configure the devices to reduce the risk of attack. However, the devices will remain somewhat vulnerable until GE patches the software.
Alerts about medical device cybersecurity vulnerabilities have become fairly common as companies have added connectivity features and authorities have become more aware of the risk. However, the notice about the vulnerabilities affecting GE products stands out, even though there have been no reports of hacks or harm to patients.
One difference is the risk score assigned by the U.S. Department of Homeland Security. DHS gave the vulnerability the maximum score on its risk scale, reflecting the fact the weakness can be remotely exploited by someone of limited skill to gain powers that could affect patient health. The DHS notice covers six distinct vulnerabilities all of which scored 10 out of 10 on the risk score.
The rare issuance of a maximum risk score was followed by a similarly rare intervention from FDA. In response to the vulnerability, FDA posted just its tenth cybersecurity safety communication since it began issuing such alerts in 2013.
FDA’s statement outlined the potential for a hacker to remotely interfere with the function of patient monitors without being detected. Intrusion by a hacker may appear to be part of normal network communication, enabling them to take actions that threaten patients without being detected by the security team.
"An attacker could potentially silence an alarm that is intended to communicate vital information about a patient to health care staff, such as a patient’s cardiac status," the agency wrote.
Despite the risk, GE is advising hospitals to continue using the devices. The recommendation reflects the ability to prevent remote access to the devices by isolating them from other hospital networks. If that protective measure is in place, a hacker would need physical access to the monitoring devices or direct access to the isolated networks they are on at the hospital to exploit the vulnerability.
The risk rating for properly configured systems is 8.2 out of 10. To eliminate the risk, GE is working on software updates to close off the vulnerability. GE is yet to provide a timeline for the rollout of the security update.