If attacked, some versions of the Carescape and ApexPro telemetry servers, the Carescape Central Station version 1 and Central Information Center systems could stop monitoring patients, silence alarms or produce unnecessary alarms during patient monitoring. The danger is higher if the devices and systems are connected to improperly configured Mission Critical (MC) and/or Information Exchange (IX) networks, according to the company.
Software company CyberMDX identified six vulnerabilities that could allow an attacker to make operating system-level changes that could cripple the device or interfere with its function.
GE Healthcare issued an “urgent medical device correction” letter to customers on Dec. 12, 2019, that included instructions for risk mitigation, and where to find the software updates or patches when they become available. The U.S. Department of Homeland Security and the FDA issued news releases about the problem today. The FDA said it is not aware of any related adverse events.
These vulnerabilities might allow an attack to happen undetected and without user interaction, the company added. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures.
More information is available here.