Patient Monitor Systems May Be Hacked, FDA Warns

Certain GE Healthcare Clinical Information Central Stations and Telemetry Servers may be compromised, allowing an attacker to hack into the system and remotely take control of the device, according to a recent statement by the Food and Drug Administration (FDA).

These systems are used to display patient data, such as temperature and heart rate, and can also send updates and alarms to the nursing station. However, a cybersecurity firm said that some may be compromised, giving the hackers the ability to silence alarms, send out false alarms, and interfere with patient monitors.

“Medical devices connected to a communications network can offer numerous advantages over non-connected devices, such as access to more convenient or more timely health care. However, when a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm,” said Suzanne Schwartz, MD, MBA, acting director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health, in a statement.

GE has contacted healthcare providers and facilities that have the affected devices, and told them how to mitigate their risk, and also about patches and software updates, when available. Their advice included the following:

• Segregate the network between GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network
• Use firewalls, segregated networks, virtual private networks, network monitors, and other precautions

As of January 23, 2020, the FDA was not aware of any adverse events that came as a result of the potential hacking. However, patients and caregivers are encouraged to talk with their providers if they have any concerns. In the meantime, the FDA is working with GE Healthcare to fix the problem as soon as possible.

“The agency understands that cybersecurity is a shared responsibility with the medical device industry, health care delivery organizations, patients, security researchers and other government agencies. Today’s alert regarding cybersecurity vulnerabilities in certain GE Healthcare stations and servers is a key example of the FDA’s commitment to work with all stakeholders to address cybersecurity issues that affect medical devices in order to keep patients safe,” Schwartz said.