The U.S. Department of Homeland Security’s cybersecurity outfit on Thursday issued an alert about six flaws in popular health care devices that could affect device functionality, expose patients’ health information or create other vulnerabilities.
DHS’ Cybersecurity and Infrastructure Security Agency detailed the six vulnerabilities, known collectively at “MDhex,” lurking in medical technology manufactured by GE Healthcare. The issues exist in GE’s line of CARESCAPE patient monitors, including some versions of the Central Information Center product, the Apex Telemetry Server/Tower, the Central Station, a Telemetry Server and three monitor products (the B450, B650 and B850) that display vital patient information to hospital professionals.
No known public exploits specifically target these vulnerabilities, CISA said in its alert.
Five of the vulnerabilities were assigned a severity score of 10 on a scale of 1-10, while the sixth was rated an 8.5 on the National Infrastructure Advisory Council’s system.
The New York-based security firm CyberMDX first found the issues.
“We are instructing the facilities where these devices are located to follow network management best practices and are developing a software patch with additional security enhancements,” a GE Healthcare spokesperson said in a statement. “We are not aware of any incidents where these vulnerabilities have been exploited in a clinical situation.”
The vulnerabilities exist because of issues with each specific device’s design or software configuration. Whether it be the exposure of private information, or operating system weaknesses, CyberMDX said in a statement, each flaw, if exploited, could “directly impact the confidentiality, integrity and availability” of each machine.
“Most of the affected equipment can set the patient monitor’s alarm limits, admit or discharge patients, [and] set date and time,” added Elad Luz, head of research at CyberMDX.
The company says it first reported the issues on Sept. 18, 2019.
“The speed, responsiveness and seriousness with which GE treated this matter is very encouraging,” Luz said in a statement. “At the same time, there remains work to be done and we are eager to see GE issue security patches for these vital devices.”
The vulnerabilities detailed Thursday only are the latest that found inside widely used medical devices. DHS published an alert in July advising firms to beware of flaws inside anesthesia and respiratory devices, also made by GE, while researchers also found issues in infusion-pump systems made by a New Jersey-based vendor.
The U.S. Food and Drug Administration also has published a series of safety bulletins including details about weaknesses in heart defibrillators and other technologies.
Update, Jan. 23, 3:15pm, ET: This story has been updated to include a statement from GE Healthcare.