New York, NY, July 9, 2019 — A cyber vulnerability has been discovered in hospital anesthesia machines, the US Department of Homeland Security’s Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerability, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to impair respirator functionality — silencing alarms, altering time/date records, and changing the composition of aspirated gases.
The CyberMDX research team found this vulnerability in the GE Aestiva and GE Aespire devices (models 7100 and 7900). Through the vulnerability, remote commands can be sent to interfere with the normal working order of the device.
If a malicious attacker can gain access to a hospital’s network and if the GE Aestiva and GE Aespire Devices are connected to a terminal server, the attacker can hack the devices without any prior knowledge of IP addresses or location of the machines. The attack could lead to unauthorized gas composition adjustments (altering the concentration of inspired/expired oxygen, CO2, N2O and anesthetic agents), manipulating barometric pressure and anesthetic agent manipulations, alarm silencing, and out-of-process changes to date and time settings. If exploited, this vulnerability could directly impact the confidentiality, integrity and availability of device components, while placing patients at risk.
The vulnerability was given a CVSS value of 5.3 (reflecting moderate severity) in the ICS-CERT Advisory (ICSMA-19-190-01). The full report can be found at https://www.us-cert.gov/ics/advisories/icsma-19-190-01.
“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in a surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That’s a very serious problem for any medical center.” said Elad Luz, Head of Research at CyberMDX.
CyberMDX is an IOT security leader dedicated to protecting the quality care of health delivery worldwide. CyberMDX provides cloud-based cybersecurity solutions that support the advancement of The Internet of Medical Things. The CyberMDX solution identifies endpoints and assesses vulnerabilities to detect, respond to, and prevent cyber incidents. Deployed worldwide, CyberMDX is designed to integrate with our customers’ existing environments through its scalable, easy-to-deploy and agentless solution.