In two models of General Electric (GE) hospital anesthesia machines, security researchers have found vulnerabilities.
GE Aestiva and GE Aespire— models 7100 and 7900— are both devices found vulnerable. The vulnerabilities reside in the firmware of the two devices, according to scientists of CyberMDX, the healthcare cyber security firm.
RESEARCHERS: FLAWS CAN PATIENTS AT RISK
CyberMDX stated attackers can submit remote commands to change devices on the same network as devices–a hospital network.
“There’s just an authentication lack,” a researcher from CyberMDX told ZDNet about the exact nature of safety flaws in an email today.
“Design supports the above commands,” he added. The researchers claim that the controls may be used to make unauthorized adjustments in the anesthetic machines. “Some can only be supported on a previous prototype; however there is a different command which allows you to change the version of your protocol (for backward compatibility).
CyberMDX said such unauthorized changes may jeopardize patients. In addition, attackers could silence device alarms for different agents ‘ low / high levels and modify timing in logs.
“There is clearly a trouble with the potential to manipulate alarm and gas compositions,” said Cyber MDX Research Leader Elad Luz. Anesthesis is a complicated science and every patient can respond differently to treatment; as such anesthesiologists need to use strict protocols to document and report procedures and dosages, vital symptoms…’ The ability to automate and accurately monitor procedures and to document what has occurred during surgery” Anesthesiology is more subtle than problematic. You no longer have reliable audit trails, once the integrity of the time and date settings has been affected.
“For any medical centre, this is a very serious issue,” Luz said.
Moreover, after the attacker has gained access to the hospital network–most of which are known for running insecure and outdated software, attacks are relatively simple.
GE DOWNPLAYS VULNERABILITIES
Cyber MDX said it reported flaws to GE in October 2018,
RECOMMENDS NOT NETWORKING DEVICES
GE choose to reject patches, but the company will publish recommendations on its website for mitigation.
GE provided these mitigations in an email to ZDNet. The vendor indicated that vulnerabilities can not be avoided if the anesthesia machines are not connected to the networks of a hospital because the current security defects are only found when a serial port of the devices (e.g. USB) is connected to a TCP / IP network via the terminal server device. If you do not connect your anesthesia machines to your hospital, they can’t be operated, even if you have access to a hospital network.
In the absence of specified what they are, or what requirements secure terminal servers must meet, however, if anesthesia machines are connected to central management systems.
The seller has also indicated that it is no longer possible to modify gas composition parameters on systems sold after 2009, and that it should not be threatened unless hospitals use old GE Aestiva and GE Aespire machines.
A security alert with directions on how hospitals and other medical centers can secure impacted anesthesia machines will be issued later today by ICS-CERT’s home safety department, who have helped CyberMDX to contact GE health care. Similar information was told to GE at this URL, on its website. The CyberMDX report detailing vulnerabilities of GE Aestiva and Aespire can be found here