New York, NY, July 9, 2019 — A cyber vulnerability has been discovered in hospital anesthesia machines, the US Department of Homeland Security’s Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerability, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to impair respirator functionality — silencing alarms, altering time/date records, and changing the composition of aspirated gases.
The CyberMDX research team found this vulnerability in the GE Aestiva and GE Aespire devices (models 7100 and 7900). Through the vulnerability, remote commands can be sent to interfere with the normal working order of the device.
If a malicious attacker can gain access to a hospital’s network and if the GE Aestiva and GE Aespire Devices are connected to a terminal server, the attacker can hack the devices without any prior knowledge of IP addresses or location of the machines. The attack could lead to unauthorized gas composition adjustments (altering the concentration of inspired/expired oxygen, CO2, N2O and anesthetic agents), manipulating barometric pressure and anesthetic agent manipulations, alarm silencing, and out-of-process changes to date and time settings. If exploited, this vulnerability could directly impact the confidentiality, integrity and availability of device components, while placing patients at risk.
The vulnerability was given a CVSS value of 5.3 (reflecting moderate severity) in the ICS-CERT Advisory (ICSMA-19-190-01). The full report can be found at https://www.us-cert.gov/ics/advisories/icsma-19-190-01.
“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in a surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That's a very serious problem for any medical center.” said Elad Luz, Head of Research at CyberMDX.
More information on the vulnerability can be found here.
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.
A pioneer in medical cybersecurity, CyberMDX is the company behind the leading IoMT visibility and security solution. CyberMDX identifies, categorizes, and protects connected medical devices — ensuring resiliency as well as patient safety and data privacy. With CyberMDX’s continuous endpoint discovery & mapping, comprehensive risk assessment, AI-powered containment & response, and operational analytics, risks are easily mitigated and assets optimized. For more information, please click here.