DHS issues warning over hackable GE Healthcare patient monitoring devices
The U.S. Department of Homeland Security Cyber and Infrastructure Security Agency issued an alert today relating to a range of vulnerabilities found in GE Healthcare patient monitoring devices.
The vulnerabilities, discovered by researchers at CyberMDX Technologies Inc. and dubbed MDhex, affect a range of GE’s CARESCAPE Clinical Information Center Pro patient monitoring products. The CIC Pro workstations are used by hospital staff to view patient physiological data and waveforms, together with patient demographic data, in real time from a single visual array.
Data from the devices is transmitted from different side-monitors via a shared network, and the technology also can be be centrally managed. Both those features are sources of potential problems.
The vulnerabilities, six in total, allow hackers to access the devices and make then unusable, interfere with their functions, change alarm settings and steal protected health information.
Affected devices include:
- Central Information Center (CIC), versions 4.x and 5.x
- CARESCAPE Central Station (CSCS), versions 1.x and 2.x
- CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
- Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
- B450 patient monitor, version 2.x
- B650 patient monitor, versions 1.x and 2.x
- B850 patient monitor, versions 1.x and 2.x
“Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe,” CyberMDX said. “Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.”
GE Healthcare said that it plans to provide patches and additional security information, although a time frame wasn’t set.
“Malicious actors have gotten very good at identifying and exposing weak links in healthcare security,” Ed Gaudet, chief executive officer of healthcare cloud security firm Censinet Inc., told SiliconANGLE. “Unfortunately, it’s becoming increasingly common that the weakest link is a third-party medical device.”
That’s why, he added, it’s critical for providers to start taking a fundamentally different approach to mitigating third-party risk. “That approach starts with real-time insights into threats that are presented by an expanding and constantly-changing ecosystem of vendors, especially the ones providing devices with a direct impact on the delivery of patient care,” he said.
Photo: GE Healthcare
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.