JAMA Health Forum – Health Policy, Health Care Reform, Health Affairs | JAMA Health Forum | JAMA Network
[Skip to Navigation]
In the News
February 12, 2020

FDA Warns That Some GE Healthcare Telemetry Servers, Health Information Stations Are Vulnerable to Cyberattack

Author Affiliations
  • 1Consulting Editor, JAMA Health Forum and JAMA
JAMA Health Forum. 2020;1(2):e200161. doi:10.1001/jamahealthforum.2020.0161

Software of certain GE Healthcare devices used to monitor patient vital signs is vulnerable to hackers, according to a recent warning from the US Food and Drug Administration (FDA). The devices are primarily used in health care facilities to display information such as temperature, heartbeat, and blood pressure and in monitoring patient status from a clinical workstation or other central location. This equipment also may include patient demographic or other nonmedical information.

The FDA noted that a security firm identified several vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers that a hacker could exploit to remotely take control of the devices and interfere with their function—for example, by silencing alarms or generating false alarms from patient monitors connected to the devices.

“These vulnerabilities might allow an attack to happen undetected and without user interaction,” the agency noted. “Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures.”

The FDA said it is not aware of any adverse events related to the software vulnerabilities and that GE Healthcare will issue software patches to address the vulnerabilities and contact affected facilities when the patches are ready. The agency also offered advice for reducing the risk posed by the vulnerabilities, including segregating the devices from the rest of the hospital network (as described in the documentation for the devices) and using segregated networks, firewalls, virtual private networks, network monitors, or other technologies that minimize the risk of remote or local network attacks. In the past year, the FDA has issued warnings about other devices vulnerable to hacking, including insulin pumps and implantable cardioverter defibrillators.

“Medical devices connected to a communications network can offer numerous advantages over non-connected devices, such as access to more convenient or more timely health care,” Suzanne Schwartz, MD, MBA, acting director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health, said in a statement released by the agency warning about the GE Healthcare devices’ vulnerability to hackers. “However, when a medical device is connected to a communications network, there is a risk that cybersecurity vulnerabilities could be exploited by an attacker, which could result in patient harm.”

As a recent JAMA Health Forum Insight describes, growing concerns regarding potential harm to patients posed by medjacking—the hacking of medical devices—have spurred the FDA to increase its focus on the issue and take steps to address the problem.

Back to top
Article Information

Open Access: This is an open access article distributed under the terms of the CC-BY License.

Limit 200 characters
Limit 25 characters
Conflicts of Interest Disclosure

Identify all potential conflicts of interest that might be relevant to your comment.

Conflicts of interest comprise financial interests, activities, and relationships within the past 3 years including but not limited to employment, affiliation, grants or funding, consultancies, honoraria or payment, speaker's bureaus, stock ownership or options, expert testimony, royalties, donation of medical equipment, or patents planned, pending, or issued.

Err on the side of full disclosure.

If you have no conflicts of interest, check "No potential conflicts of interest" in the box below. The information will be posted with your response.

Not all submitted comments are published. Please see our commenting policy for details.

Limit 140 characters
Limit 3600 characters or approximately 600 words
    ×