Agency clarifies no reports of breaches have occurred thus far
Last week, the U.S. Food and Drug Administration issued a safety communication informing health care providers, facilities and patients about cybersecurity vulnerabilities identified for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers.
These devices are primarily used in health care facilities for displaying patient information, such as the physiologic status (i.e., temperature, heartbeat, blood pressure, etc.) of a patient, and monitoring patient status from a central location in a facility, such as a nurse’s bay. The cybersecurity vulnerabilities identified could allow an attacker to remotely take control of the device to silence alarms, generate false alarms or interfere with the function of patient monitors connected to these devices.
To date, the agency has not received any adverse event reports, including reports of patient harm or device malfunction, associated with these vulnerabilities.
“Medical devices connected to a communications network can offer numerous advantages over non-connected devices, such as access to more convenient or more timely health care. However, when a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm,” said Suzanne Schwartz, MD, MBA, acting director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The agency understands that cybersecurity is a shared responsibility with the medical device industry, health care delivery organizations, patients, security researchers and other government agencies. Today’s alert regarding cybersecurity vulnerabilities in certain GE Healthcare stations and servers is a key example of the FDA’s commitment to work with all stakeholders to address cybersecurity issues that affect medical devices in order to keep patients safe.”
The agency is committed to communicating cybersecurity vulnerabilities to the public and has issued nine safety communications for medical device cybersecurity vulnerabilities since 2013. The FDA takes reports of vulnerabilities in medical devices seriously and today’s safety communication includes recommendations to health care providers and facilities for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.
The FDA will continue its work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to help address cybersecurity issues throughout a device’s total product lifecycle.