US Issues Cybersecurity Warnings Over Flawed Medical Devices
Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC).
Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security's Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain clinical information central stations and telemetry servers.
Exploitable flaws in the ApexPro and CARESCAPE telemetry servers, in version 1 of the CARESCAPE Central Station, and in CIC Pro Clinical Information Center Central Station version 1 were discovered by CyberMDX.
The flawed devices are used mostly in health care facilities for displaying information regarding the physiologic parameters of a patient, such as heartbeat and blood pressure. They are also used to monitor the status of a patient from a central location in a facility, such as a nurse’s workstation.
The FDA said the vulnerabilities "may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices."
ICS-CERT said that an attacker could use the flaws to obtain protected health information (PHI) data and to make the device unusable.
In a statement published yesterday, GEHC said: "In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hos ..