The U.S. Department of Homeland Security Cyber and Infrastructure Security Agency issued an alert today relating to a range of vulnerabilities found in GE Healthcare patient monitoring devices.

The vulnerabilities, discovered by researchers at CyberMDX Technologies Inc. and dubbed MDhex, affect a range of GE’s CARESCAPE Clinical Information Center Pro patient monitoring products. The CIC Pro workstations are used by hospital staff to view patient physiological data and waveforms, together with patient demographic data, in real time from a single visual array.

Data from the devices is transmitted from different side-monitors via a shared network, and the technology also can be be centrally managed. Both those features are sources of potential problems.

The vulnerabilities, six in total, allow hackers to access the devices and make then unusable, interfere with their functions, change alarm settings and steal protected health information.

Affected devices include:

• Central Information Center (CIC), versions 4.x and 5.x
• CARESCAPE Central Station (CSCS), versions 1.x and 2.x
• CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
• Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
• B450 patient monitor, version 2.x
• B650 patient monitor, versions 1.x and 2.x
• B850 patient monitor, versions 1.x and 2.x

“Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe,” CyberMDX said. “Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.”

GE Healthcare said that it plans to provide patches and additional security information, although a time frame wasn’t set.

“Malicious actors have gotten very good at identifying and exposing weak links in healthcare security,” Ed Gaudet, chief executive officer of healthcare cloud security firm Censinet Inc., told SiliconANGLE. “Unfortunately, it’s becoming increasingly common that the weakest link is a third-party medical device.”

That’s why, he added, it’s critical for providers to start taking a fundamentally different approach to mitigating third-party risk. “That approach starts with real-time insights into threats that are presented by an expanding and constantly-changing ecosystem of vendors, especially the ones providing devices with a direct impact on the delivery of patient care,” he said.

Photo: GE Healthcare