UPDATED 19:12 EST / JANUARY 23 2020

SECURITY

DHS issues warning over hackable GE Healthcare patient monitoring devices

The U.S. Department of Homeland Security Cyber and Infrastructure Security Agency issued an alert today relating to a range of vulnerabilities found in GE Healthcare patient monitoring devices.

The vulnerabilities, discovered by researchers at CyberMDX Technologies Inc. and dubbed MDhex, affect a range of GE’s CARESCAPE Clinical Information Center Pro patient monitoring products. The CIC Pro workstations are used by hospital staff to view patient physiological data and waveforms, together with patient demographic data, in real time from a single visual array.

Data from the devices is transmitted from different side-monitors via a shared network, and the technology also can be be centrally managed. Both those features are sources of potential problems.

The vulnerabilities, six in total, allow hackers to access the devices and make then unusable, interfere with their functions, change alarm settings and steal protected health information.

Affected devices include:

  • Central Information Center (CIC), versions 4.x and 5.x
  • CARESCAPE Central Station (CSCS), versions 1.x and 2.x
  • CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
  • Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
  • B450 patient monitor, version 2.x
  • B650 patient monitor, versions 1.x and 2.x
  • B850 patient monitor, versions 1.x and 2.x

“Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe,” CyberMDX said. “Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.”

GE Healthcare said that it plans to provide patches and additional security information, although a time frame wasn’t set.

“Malicious actors have gotten very good at identifying and exposing weak links in healthcare security,” Ed Gaudet, chief executive officer of healthcare cloud security firm Censinet Inc., told SiliconANGLE. “Unfortunately, it’s becoming increasingly common that the weakest link is a third-party medical device.”

That’s why, he added, it’s critical for providers to start taking a fundamentally different approach to mitigating third-party risk. “That approach starts with real-time insights into threats that are presented by an expanding and constantly-changing ecosystem of vendors, especially the ones providing devices with a direct impact on the delivery of patient care,” he said.

Photo: GE Healthcare

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.