Some GE medical equipment have vulnerabilities that make them easy to tamper with, according to the FDA. The agency has warned hospitals and healthcare providers that a third-party cybersecurity firm has identified flaws in certain GE Healthcare Clinical Information Central Stations and Telemetry Server models. Hospitals use these devices to monitor patients' information, including their temperature, heartbeat and blood pressure, and are usually located in the nurse's bay or other central locations within a facility.
Those vulnerabilities, the FDA said, could allow bad actors to remotely take control of the devices in order to generate false alarms or silence real ones. An attacker could, for instance, stop the system from notifying providers about a patient's cardiac status, putting their life in danger. Thankfully, the FDA has yet to receive reports of patient harm or device malfunction involving GE's central stations. The company has taken steps to prevent them all the same, advising customers to separate the equipment from wider hospital network and instructing them on where they can get a patch when it becomes available.
The FDA has been keeping a close eye on medical equipment cybersecurity measures and issues over the past years. It issued a final guidance instructing manufacturers to boost pacemakers' and insulin pumps' protections against cyberattacks in 2016. The agency also previously issued a warning about certain pacemakers that are vulnerable to hacking and even recalled half a million pacemakers due to hacking fears.