CyberMDX, which focuses primarily on medical cybersecurity, states that if successfully exploited, the hole could allow an attacker to interfere the operation of these sophisticated medical machines, thereby posing a risk to patients.
The vulnerability was discovered in GE’s Aestiva anesthesia delivery equipment, as well as in models 7100 and 7900 of the GE Aespire.
CyberMDX states that if used, an attacker could use this vulnerability to silence alarms and tamper with logs.
Worse, an attacker could even change the composition of aspirated gasses, adjusting the cocktail of oxygen, carbon dioxide, nitrous oxide, and anesthetic agents provided to the patient.
The US Department of Homeland Security’s ICS-CERT team has given this vulnerability a CVSS value of 5.3. This reflects the moderate level of risk posed by the security hole.
As is the case with every security vulnerability, exploiting this requires some preconditions to be met. Firstly, the targeted GE Healthcare appliances must be connected to a network. Furthermore, the machines need to be configured to work with a terminal server.
If these conditions are met, the attacker could potentially compromise the devices without knowing the network topology of the medical facility, or even where the machines are located within the building.
In a statement, Elad Luz, Head of Research at CyberMDX, elaborated on the risks posed by this vulnerability.
“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in a surgery,” he said.
Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails.
TNW reached out to GE Healthcare for comment. Over email, Hannah Huntly, a company spokesperson, explained the vulnerability doesn’t introduce “clinical hazard” to users of the equipment.
“After a formal risk investigation, we have determined that this potential implementation scenario does not introduce clinical hazard or direct patient risk,” she said.
To avoid misuse of this potential implementation scenario, secure terminal servers should be used when connecting GE Healthcare anaesthesia device serial ports to TCP/IP networks.
Huntly added that the organization has a proactive approach to ensuring the integrity of its devices, and that includes partnering with external organizations.
“We have a comprehensive security approach and continuously monitor the environments we operate in to assess and mitigate risks. We will continue to work with government organizations, healthcare providers and security industry leaders on cyber readiness initiatives that support the safe and effective use of our medical devices and software solutions,” Huntly said.
This episode serves as a fundamental reminder that medical devices are quite often computers. And as is the case with your mobile phone or laptop, are vulnerable to any of the risks associated with these devices.
Our health – and yes, our lives – are in the hands of researchers and vendors.