GE anesthesia/respiratory devices have cyber vulnerabilities
Two types of hospital anesthesia devices manufactured by GE Healthcare contain significant cyber vulnerabilities, a federal agency contends.
Cybersecurity vendor CyberMDX, based in New York, discovered the medical device vulnerabilities in GE Healthcare anesthesia and respiratory devices, reports the Department of Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team.
The vulnerabilities relate to the GE Aestiva and GE Aespire devices, which are models 7100 and 7900.
“If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the devices to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization,” says Elad Luz, head of research at CyberMDX.
When deployed using terminal servers, these manipulations can be performed with no prior knowledge of IP addresses or location of the anesthesia machine.
Consequently, concentration of inspired/expired oxygen, CO2, N20 and anesthetic agents can be altered. Other manipulations can include barometric pressure settings and anesthetic agent type selection, CyberMDX warns. Remote silencing of alarms and alteration of date and time settings also are at risk.
CyberMDX cautions that it conducted several field tests with the machines and confirmed the vulnerability.
“It should, however, be noted that the team only attempted the command to silence the device’s alarm, as adjustments to settings for chemical constitution and time can have complicated and potentially long-lasting consequences that were best to avoid in a real hospital environment.”
GE Healthcare will provide updates and additional security information via its website on the vulnerability for affected users.