The U.S. Homeland Security Dept. yesterday warned of cybersecurity vulnerabilities with the GE Aestiva and Aespire anesthesia devices.
The DHS Industrial Control Systems Cyber Emergency Response Team, acting on weaknesses discovered by researchers at CyberMDX, said the vulnerabilities could allow an attacker to remotely modify GE Healthcare anesthesia device parameters. The vulnerability comes from a configuration exposure of certain terminal server implementations that are designed to extend the anesthesia device serial ports to unsecured TCP/IP networks, according to the ICS-CERT.
GE Aestiva and Aespire anesthesia models affected by the vulnerability include the GE Aestiva and Aespire versions 7100 and 7900.
CyberMDX said that a malicious attacker could gain access to a hospital’s network and could cause unauthorized gas composition adjustments, barometric pressure and anesthetic agent manipulations, alarm silencing and out-of-process changes to date and time settings.
“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That’s a very serious problem for any medical center,” head of research at CyberMDX Elad Luz said in a press release.
The vulnerability was given a CVSS value of 5.3, or moderately severe.
GE Healthcare recommended hospitals use secure thermal servers to connect to GE Healthcare anesthesia device serial ports to TCP/IP networks. The company also recommended that organizations use best practices for terminal services. NCCIC recommended that users should minimize network exposure for medical devices and systems, locate medical device behind firewalls and isolate them, restrict system access, apply defense-in-depth strategies and disable unnecessary accounts, protocols and services.