UPDATED 19:12 EST / JANUARY 23 2020

SECURITY

DHS issues warning over hackable GE Healthcare patient monitoring devices

The U.S. Department of Homeland Security Cyber and Infrastructure Security Agency issued an alert today relating to a range of vulnerabilities found in GE Healthcare patient monitoring devices.

The vulnerabilities, discovered by researchers at CyberMDX Technologies Inc. and dubbed MDhex, affect a range of GE’s CARESCAPE Clinical Information Center Pro patient monitoring products. The CIC Pro workstations are used by hospital staff to view patient physiological data and waveforms, together with patient demographic data, in real time from a single visual array.

Data from the devices is transmitted from different side-monitors via a shared network, and the technology also can be be centrally managed. Both those features are sources of potential problems.

The vulnerabilities, six in total, allow hackers to access the devices and make then unusable, interfere with their functions, change alarm settings and steal protected health information.

Affected devices include:

  • Central Information Center (CIC), versions 4.x and 5.x
  • CARESCAPE Central Station (CSCS), versions 1.x and 2.x
  • CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
  • Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
  • B450 patient monitor, version 2.x
  • B650 patient monitor, versions 1.x and 2.x
  • B850 patient monitor, versions 1.x and 2.x

“Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe,” CyberMDX said. “Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.”

GE Healthcare said that it plans to provide patches and additional security information, although a time frame wasn’t set.

“Malicious actors have gotten very good at identifying and exposing weak links in healthcare security,” Ed Gaudet, chief executive officer of healthcare cloud security firm Censinet Inc., told SiliconANGLE. “Unfortunately, it’s becoming increasingly common that the weakest link is a third-party medical device.”

That’s why, he added, it’s critical for providers to start taking a fundamentally different approach to mitigating third-party risk. “That approach starts with real-time insights into threats that are presented by an expanding and constantly-changing ecosystem of vendors, especially the ones providing devices with a direct impact on the delivery of patient care,” he said.

Photo: GE Healthcare

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU