The federal Cybersecurity and Infrastructure Agency (CISA) says GE Healthcare’s anesthesia machines could be modified remotely by hackers
The United States Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) announced that hospital anesthesia machines could be vulnerable to cyber attacks. According to an advisory released by the Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT), a certain protocol found in GE-manufactured anesthesia machines, could render anesthesia devices vulnerable and allow them to be remotely modified by hackers.
The vulnerability was discovered by software company CyberMDX. Specifically, the company’s research team discovered that General Electric’s GE Aestiva and GE Aespire devices (models 7100 and 7900) could be subject to remote commands sent by attackers attempting to interfere with the normal working order of the devices. This could involve hackers attempting to impair respirator functionality, change the composition of aspirated gases, silence alarms, and alter time/date records.
“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That’s a very serious problem for any medical center,” Elad Luz, head of research at CyberMDX said in a press release.
In order to reduce risk, CISA recommends users take defensive measures. Specifically, users should minimize network exposure for all medical devices and/or systems; locate medical devices behind firewalls and isolate them where possible; restrict system access to authorized personnel only and follow a least privilege approach; apply defense-in-depth strategies; and disable any unnecessary accounts, protocols and services.
CISA says organizations should perform impact analyses and risk assessments prior to deploying these defensive measures. Additionally, in the event an apparent hack is observed, organizations should report their findings to CISA for tracking and correlation against other incidents.
GE Healthcare also released a statement on the vulnerability.
“GE Healthcare recommends organizations use secure terminal servers if choosing to connect GE Healthcare anesthesia device serial ports to TCP/IP networks. Secure terminal servers, when correctly configured, provide robust security features, including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options,” GE said in a statement. “GE Healthcare recommends that organizations utilize best practices for terminal servers that include governance, management and secure deployment measures such as network segmentation, VLANs and device isolation to enhance existing security measures.”