Riley Griffin (Bloomberg) -- General Electric Co. health-care stations and servers may be vulnerable to cyberattacks, the U.S. Food and Drug Administration said in a safety communication on Thursday.
The FDA warned health providers, facilities and patients that an outside firm had identified cybersecurity vulnerabilities in GE medical servers used to display patient information like heartbeat or blood pressure. The security gaps could allow an attacker to take over and interfere with the monitors by, for example, silencing alarms or creating false ones.
The agency said it hasn’t received any reports of patient harm or device malfunction associated with the vulnerabilities. An attack could go undetected and occur without user interaction, and compromised devices could appear to be working normally, the FDA said.
Medical devices are increasingly connected to each other and to the wider internet, and government health agencies, hospitals and technology companies have begun to air their concerns about cybersecurity threats that could have troubling public-health consequences.
“When a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm,” said Suzanne Schwartz, the acting director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health.
On Nov. 12, GE Healthcare issued an “Urgent Medical Device Correction” letter informing providers and facilities that use its Clinical Information Central Stations and Telemetry Servers of such security vulnerabilities, and how to mitigate risk. The company is currently working to issue a software update that can be implemented by the technology’s users.
“We are instructing the facilities where these devices are located to follow network management best practices and are developing a software patch with additional security enhancements,” a GE Healthcare spokesperson said in a statement. “We are not aware of any incidents where these vulnerabilities have been exploited in a clinical situation.”
The FDA has previously identified cyber risks to popular insulin pumps, implantable cardiac devices and infusion systems. It is not aware of patient injuries or deaths associated with any of those cases.