GE Healthcare is the latest medtech company to be faced with cybersecurity concerns.
According to an FDA safety notice, a security firm has identified several vulnerabilities in certain GE Healthcare clinical information center workstations and telemetry servers, that may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms, and interfere with the function of patient monitors connected to these devices.
These devices are used mostly in healthcare facilities for displaying patient information, such as the physiologic parameters (such as temperature, heartbeat, blood pressure) of a patient, and monitoring patient status from a central location in a facility, such as a nurse’s workstation. These vulnerabilities might allow an attack to happen undetected and without user interaction. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures.
To date, FDA said it is not aware of any adverse events related to these vulnerabilities.
Cybersecurity is one of the biggest issues keeping medtech manufacturers awake at night, according to a panelist at MD&M West 2019, and software issues have become the top cause of medical device recalls.
“Depending on the particular segment, cybersecurity is a really critical issue for the medtech industry,” said Yarmela Pavlovic, a partner at Hogan Lovells, an international law firm. “I see companies at varying stages of adoption in cybersecurity policies, and for very young companies coming more from the tech industry, cybersecurity feels like a much more natural fit. . . But then there are a lot of companies grappling with legacy products and trying to implement cybersecurity controls based on more modern technology for products where those concerns were not part of the original design and development.”