January 29, 2020

Yes, we live in that world now.  It’s a world where techno-wizardry abounds.  It’s a place of unparalleled digital progress; but with that progress comes unprecedented dependence—dependence upon software and digital networks and electronic devices.  It is the very nature of this dependence that presents the inherent dangers that we now see cropping up all around us.  In that sense, no one is safe.  The American military is a good example of this.  Because it relies so heavily on digital technology, it must devote enormous budgetary resources to defending these capabilities from potential cyber-attacks.  Like it or not, this is the world we have decided to build; and, because of that, nations and organizations and individuals must be on guard against the relentless threat of the hacker.

Device Vulnerability

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced late this January that they have detected six vulnerabilities in GE Healthcare devices.  If exploited, these vulnerabilities could allow bad actors to effectively make these medical devices unusable; or, at the very least, their functionality could be severely compromised.

According to CISA, the affected GE devices are connected with the GE Healthcare Clinical Information Central Stations and Telemetry Servers, including the CARESCAPE Central Information Center, Apex Telemetry Server/Tower, Central Station, Telemetry Servicer, B450 patient monitor, B650 patient monitor and B850 patient monitor.

If the weak spots in the GE health devices are ultimately exploited, hackers might be able to make changes in the devices’ software that would interfere with the devices’ functionality, make changes to alarm settings and expose protected health information (PHI).  Any of these scenarios are potentially deleterious to patients—from both a medical and privacy perspective.

Discovery of Vulnerability

The vulnerabilities of GE’s heath devices were actually discovered by a third-party cybersecurity company, CyberMDX. Based on the National Infrastructure Advisory Council’s scoring methodology for assessing the severity of computer vulnerabilities, CyberMDX rated the GE device vulnerabilities—giving each a numeric score.  It was determined in their review of the GE devices that five of the six vulnerabilities received a severity score of 10. The remaining vulnerability was given an 8.5 severity score.

It is worth mentioning that this is only one “catch” by one company.  There is no telling how many other health-related devices are innately vulnerable to hacking that have not been uncovered by the good guys; and there is no telling how many of these devices are already being targeted by the bad guys.

Scope and Solutions

According to Becker’s Hospital Review, the number of healthcare devices similarly affected is largely unknown, and this uncertainty exists on a global scale. Based on CyberMDX’s calculations, literally hundreds of thousands of devices may be at risk.

As to the GE vulnerabilities already identified, the Food and Drug Administration (FDA) has recommended that hospitals segregate any networks connecting to the patient monitors.  In addition, they should be using firewalls, virtual private networks, network monitors or other technologies to mitigate the risk of the GE vulnerabilities being exploited.

When it comes to other potential defects in medical device security, health organizations would do well to be proactive in beefing up security to the extent practicable.  They may want to hire cyber security experts to perform a review of risk areas and make recommendations.  They should also keep abreast of official notifications by CISA, the FDA and other agencies regarding newly discovered deficiencies in medical devices that might compromise patient safety or privacy.  It is important to note that the FDA’s Cybersecurity webpage contains the following admonition:

Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. Healthcare delivery organizations (HDOs) should evaluate their network security and protect their hospital systems. Both MDMs and HDOs are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.

This means that whether or not the medical device firm is doing its job in ensuring sufficient defense against potential hackers, the hospital must.  It is no longer an option, but an obligation.  In fact, cyber defense is something we are all going to have to take very seriously and work continually to address.  It’s the world we now live in.

If you would like more information on how to assess and address medical device security, please contact us.