FDA: Cybersecurity vulnerabilities identified in GE Healthcare monitoring devices


The Food and Drug Administration has issued a warning that certain GE Healthcare Clinical Information Central Stations and Telemetry Servers have cybersecurity vulnerabilities that may introduce risk to monitored patients.

FDA icon Wikimedia Commons/FitzColinGerald/ Creative Commons License

A security firm identified several vulnerabilities in the GE devices that allow attackers to remotely take control of the medical device, silence alarms, generate false alarms, and interfere with alarms of patient monitors connected to these devices, according to an “Urgent Medical Device Correction” letter issued by GE Healthcare in November 2019.

The affected devices are the ApexPro Telemetry Server and CARESCAPE Telemetry Server, the CARESCAPE Central Station (CSCS) version 1, and the CIC Pro Clinical Information Center Central Station version 1. These devices are used in health care facilities for displaying information, such as the patient’s physiological parameters, and for monitoring patient status from a central location in a facility.

No adverse events related to the vulnerabilities have been reported to the FDA. Health care facility staff should update their devices when GE Healthcare issues a software patch that addresses the vulnerability, separate the network connecting patient monitors using affected devices from the rest of the hospital, and use firewalls and other means to minimize the risk of remote or local network attacks.

“The FDA takes reports of cybersecurity vulnerabilities in medical devices seriously and will continue to work with GE Healthcare as the firm develops software patches to correct these vulnerabilities as soon as possible. The FDA will continue to assess new information concerning the vulnerabilities and will keep the public informed if significant new information becomes available,” the FDA said in the Safety Communication.

Next Article: