As per the reports from ZDNet, security researchers from CyberMDX, a healthcare cybersecurity firm found vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE). The two vulnerable devices are GE Aestiva and GE Aespire, models 7100 and 7900 and according to the researchers, the vulnerabilities reside in the two devices’ firmware.
Also, the US Department of Homeland Security’s Industrial Control Systems and Cyber Emergency Response Team (ICS-CERT) issued a medical advisory for this vulnerability CVE-2019-10966. This vulnerability has been assigned 5.3 points as the CVSS score that indicates medium severity as per the ICS-CERT reports.
According to the researchers, attackers on the same network as the devices can send remote commands that can alter devices’ settings.
In a statement to ZDNet, a CyberMDX researcher told, “There is simply a lack of authentication.”
He further added, “The mentioned commands are supported by design. Some of them are only supported on an earlier version of the protocol, however there is another command that allows changing the protocol version (for backward compatibility). After sending a command to change the protocol version to an earlier one, an attacker can send all other commands.”
The researcher claims that the commands can be used for making unauthorized adjustments to the anesthetic machines’ gas composition which includes modifying the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the gas’ barometric pressure.
If attackers get access to hospital’s network where either of these devices is connected to a terminal server, they can possibly break into the machine without knowing its IP address or location. And they can remotely change parameters without authorization and make unauthorized adjustments.
According to the CyberMDX researchers such unauthorized modifications can put patients at risk. Attackers can also silence device alarms for low or high levels of various agents and modify timestamps inside logs.
In a statement to ZDNet, Elad Luz, Head of Research at CyberMDX said, “The potential for manipulating alarms and gas compositions is obviously troubling.” Luz further added, “More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in surgery.”
But as per a statement by GE Healthcare, the vulnerability is not in the device itself and this particular situation doesn’t grant access to data or pose a direct risk to patients.
The GE Healthcare statement reads,“While the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm”
In an email to ZDNet, GE explained the mitigations and according to them the vulnerabilities can be avoided if the anesthesia machines aren’t connected to a hospital’s network. In case the anesthesia machines aren’t connected to a hospital network, then they can’t be exploited, even if a hacker has access to a hospital’s network.