US Issues Cybersecurity Warnings Over Flawed Medical Devices

US Issues Cybersecurity Warnings Over Flawed Medical Devices

Originally Published on this site

US Issues Cybersecurity Warnings Over Flawed Medical Devices

US Issues Cybersecurity Warnings Over Flawed Medical Devices 1

Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC). 

Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security’s Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain clinical information central stations and telemetry servers.

Exploitable flaws in the ApexPro and CARESCAPE telemetry servers, in version 1 of the CARESCAPE Central Station, and in CIC Pro Clinical Information Center Central Station version 1 were discovered by CyberMDX.

The flawed devices are used mostly in health care facilities for displaying information regarding the physiologic parameters of a patient, such as heartbeat and blood pressure. They are also used to monitor the status of a patient from a central location in a facility, such as a nurse’s workstation.

The FDA said the vulnerabilities “may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices.”

ICS-CERT said that an attacker could use the flaws to obtain protected health information (PHI) data and to make the device unusable. 

In a statement published yesterday, GEHC said: “In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network.”

GEHC has published instructions for risk mitigation along with instructions on where to find software updates or patches when they become available.

The FDA said yesterday that it was “not aware of any adverse events related to this vulnerability,” while also saying that such incidents may be extremely hard to detect. 

“These vulnerabilities might allow an attack to happen undetected and without user interaction. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures,” said the FDA.

In a statement published yesterday, GE Healthcare said: “There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities.”

In July 2019, ICS-CERT issued a warning after vulnerabilities were detected in GE anesthesia and respiratory devices, GE Aestiva and GE Aespire (models 7100 and 7900).

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Vox Messenger Logo - 512x512

End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.

Vox Messenger is an ad-free, secure and end-2-end encrypted alternative to other popular chat messenger apps.

Available for Free. Whitelabel Corporate Edition Available on Request.

All Rights Reserved - © Copyright 2020 - Vox Messenger (a Division of Kryotech Ltd.)