Federal health officials indicate certain GE monitoring stations used by healthcare clinicians could be vulnerable to hacking events, such as silencing critical alarms, which may increase the risk of patient injury or death.
The FDA issued a cybersecurity safety communication on January 23, warning certain GE Healthcare servers used to monitor vital patient information contain vulnerabilities, which could be exploited by hackers that could cause harm to patients.
The warning involves GE Healthcare Clinical Information Central Stations and Telemetry Servers, primarily used in health care facilities for monitoring and displaying patient information, such as temperature, heartbeat, blood pressure and other critical vitals from a central location within the facility.
According to the FDA, hackers could remotely take control of these GE devices to silence critical alarms, generate false alarms, and interfere with other monitors connected to the GE device. This could result in a delay of emergency medical intervention, endangering patients’ lives.
In November 2019, GE Healthcare issued an Urgent Medical Device Correction informing customers of the vulnerabilities and provided instruction on where to find the software updates and patches for the impacted devices. GE recommended hospitals reduce their vulnerabilities by keeping the network connecting the patient monitors separate from the rest of the hospital network.
GE strongly encouraged hospital facilities to use firewalls, segregated networks, virtual private networks, network monitors, or other technologies that minimize the risk of remote or local network attacks.
Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.
Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.
Medtronic has faced multiple cybersecurity vulnerabilities across several devices in recent years. In June 2019, Medtronic issued a recall of the Medtronic MiniMed 508 pump and MiniMed Paradigm series insulin pumps due to cybersecurity flaws which could allow hackers to wirelessly connect to both the patient’s blood glucose meter and monitoring system and change insulin delivery settings and alter glucose level data.
In October 2018, Medtronic issued an Urgent Medical Device Correction to physicians, notifying them that more than 34,000 implantable pacemakers were vulnerable to hacking. Medtronic disconnected the devices from internet access for software updates as a result.
The FDA has been working on a framework for cybersecurity threats across the medical field since 2013, and the need for additional protection has only become more of a necessity with the increased number of incidents. In 2015 alone, the healthcare industry had more data breaches than in the previous six years combined, compromising more than 113 million medical records.
Previous medical device hacking demonstrations have dated back to 2012, when researchers at a RSA security conference in San Francisco in 2012, were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.