Defense In-Depth for Real-Time Patient Monitoring

Through computer viruses, worms, Trojan horses, denial-of-service attacks, and other malware, the threat from malicious actors continues to grow for healthcare systems, and now includes threats to real-time patient monitoring. GE Healthcare’s patient monitoring ecosystem contains multiple layers of defense to protect against threats.
  • CARESCAPE Network

    One of the most comprehensive, real-time patient-data networks available today, the CARESCAPE Network offers the ability to capture patient data in real-time and deliver integrated data across the enterprise to support informed decision-making. The CARESCAPE Network architecture is comprised of the mission-critical (MC) network, the information exchange (IX) network, and the CARESCAPE Gateway. The MC network is engineered to provide reliable performance of mission-critical information (parameters, waveforms, trends, alarms, etc.) and is protected from cyber threats by network isolation. The IX network can act as a conduit for non-real-time information (processed full-disclosure data, print files, etc.) exchanged with other systems within a hospital’s IT system and is protected behind a router/firewall when connectivity to the hospital enterprise is required.
  • CARESCAPE Gateway

    The CARESCAPE Gateway provides a mechanism for exchanging information between systems on the hospital’s enterprise network and devices on the MC network via the IX network. It forms a secure data bridge so data residing on either network can be shared across the two networks. At the heart of the CARESCAPE Gateway’s defense is intelligent allowlisting that provides protection against threats, including advanced persistent threats (APTs)—by ensuring only authorized applications are allowed to execute.
  • Product hardening

    By design, GE Healthcare’s patient monitoring products feature modern operating systems enhanced for cybersecurity, including kernel hardening and built-in security features to protect against cyber threats. Examples of this built-in security include communication port restrictions, prohibiting files to automatically run or execute, restricting file manager access, and secure service interfaces.
  • Network access controls

    To add an additional layer of security, customers have the option of deploying advanced authentication to the CARESCAPE Network. By enabling 802.1X port-based network access controls and MAC Authentication Bypass (MAB) protocols, customers can ensure only valid devices have access to the CARESCAPE Network—protecting the privacy and security of those you care for.

Protection through a multi-layered approach

To protect against cybersecurity threats, GE Healthcare’s patient monitoring products employ many security solutions, mechanisms, and design philosophies to ensure total protection. Key examples used in many monitoring products include:
  • Host firewall

    A host firewall is enabled for network connections.

  • Minimized openings

    Only necessary application ingress and egress ports are open to the enterprise network, minimizing the attack surface.

  • PHI encryption

    Stored personal health information (PHI) is encrypted, helping protecting the privacy of patients.

  • Signed software

    Where available, software updates must have signed software package files before installation.

  • HTTPS only

    Product configuration is managed via encrypted HTTPS only.

  • Continual maintenance

    Software integrity checking is continuously performed as a background task.

  • Streamlined operation

    Software processes run with minimal permissions, primarily in user-space.

  • Preserved logs

    All user activity is maintained in an audit log.

  • Vulnerability management

    Reported vulnerabilities are continuous monitored and mitigated as appropriate to ensure systems maintain cybersecurity protections.