The Food and Drug Administration released a warning on Thursday to health-care providers, facilities and consumers about a vulnerability in certain electronic health care data equipment made by General Electric.
The flaw affects some GE health-care Clinical Information Central Stations and Telemetry Servers, the regulator said Thursday. The machines are used for monitoring blood pressure, heart rate, temperature and patient status, and are typically located in the central part of a facility, "such as a nurse's station," the FDA said.
GE notified facilities about the vulnerability in November by mail, according to the FDA, and posted further guidance on fixing the problem to their website Thursday.
The flaw could allow a person to tamper with the devices in order to "silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices," the release says.
The FDA said it is not aware of any "adverse events" related to the vulnerabilities and said a third-party cybersecurity firm found the problem.
The FDA has increasingly been pressuring companies to be more diligent about cybersecurity and has launched a number of initiatives to better communicate to hospitals, doctors and patients about risks to devices.
Manufacturers may issue patches to flawed medical devices, but unlike with consumer devices, pushing those patches to the devices is a much bigger challenge, if not impossible. That's because for many medical devices and systems, a facility worker or even a patient — in the case of at-home technologies such as insulin pumps — may need to update the device manually.
GE is working on a solution, and in the meantime, has advised facility owners to segregate the equipment from the wider hospital network, restrict access to the stations to those required to use them for work, change default passwords on the devices and create firewalls to block any incoming internet traffic.