Security researchers from Israeli firm CyberMDX have discovered a vulnerability in a select number of GE Healthcare’s anesthesia and respiratory devices.
CyberMDX, which focuses primarily on medical cybersecurity, states that if successfully exploited, the hole could allow an attacker to interfere the operation of these sophisticated medical machines, thereby posing a risk to patients.
The vulnerability was discovered in GE’s Aestiva anesthesia delivery equipment, as well as in models 7100 and 7900 of the GE Aespire.
CyberMDX states that if used, an attacker could use this vulnerability to silence alarms and tamper with logs.
Worse, an attacker could even change the composition of aspirated gasses, adjusting the cocktail of oxygen, carbon dioxide, nitrous oxide, and anesthetic agents provided to the patient.
The US Department of Homeland Security’s ICS-CERT team has given this vulnerability a CVSS value of 5.3. This reflects the moderate level of risk posed by the security hole.
As is the case with every security vulnerability, exploiting this requires some preconditions to be met. Firstly, the targeted GE Healthcare appliances must be connected to a network. Furthermore, the machines need to be configured to work with a terminal server.
If these conditions are met, the attacker could potentially compromise the devices without knowing the network topology of the medical facility, or even where the machines are located within the building.
In a statement, Elad Luz, Head of Research at CyberMDX, elaborated on the risks posed by this vulnerability.
“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in a surgery,” he said.
Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails.
TNW reached out to GE Healthcare for comment. Over email, Hannah Huntly, a company spokesperson, explained the vulnerability doesn’t introduce “clinical hazard” to users of the equipment.
“After a formal risk investigation, we have determined that this potential implementation scenario does not introduce clinical hazard or direct patient risk,” she said.
To avoid misuse of this potential implementation scenario, secure terminal servers should be used when connecting GE Healthcare anaesthesia device serial ports to TCP/IP networks.
Huntly added that the organization has a proactive approach to ensuring the integrity of its devices, and that includes partnering with external organizations.
“We have a comprehensive security approach and continuously monitor the environments we operate in to assess and mitigate risks. We will continue to work with government organizations, healthcare providers and security industry leaders on cyber readiness initiatives that support the safe and effective use of our medical devices and software solutions,” Huntly said.
This episode serves as a fundamental reminder that medical devices are quite often computers. And as is the case with your mobile phone or laptop, are vulnerable to any of the risks associated with these devices.
Content sourced fromTNW
*This section only applies to third party rss feed users*
— Kashmir Broadcasting Corporation allows the use of RSS Feeds, but with our content usage we expect that credit is given, but in the event that it is not. This content policy annotation will act as a credit towards KBC (Kashmir Broadcasting Corporation) Please visit kbcchannel.tv for more news and articles — we can not justify what is written on a third party site, as the content can be altered to their specification, if something is not authentic as it should be please visit kbcchannel.tv and look for the original content. if it is no longer there then it can no longer be associated with Kashmir Broadcasting Corporation and if the content on a third party site has been altered to the point of offence or deemed inappropriate please report it to KBC via email: email@example.com or fill the submission form on kbc’s website: https://www.kbcchannel.tv/report-form/ with the details of the site and article heading — Thank You
Website — https://www.kbcchannel.tv/
FaceBook — https://www.facebook.com/kbcchanneltv
Twitter — https://twitter.com/kbcchanneltv
YouTube — https://www.youtube.com/channel/UCV6TFLe3dGbavSYilnC2paQ
Instagram — https://www.instagram.com/kbcchanneltv/