A security flaw has been discovered in a number of GE Healthcare devices used by the NHS that could allow hackers to remotely control the amount of anaesthetic delivered to patients.
The remotely exploitable vulnerability requires a "low skill level to exploit" and could enable hackers to silence device alarms, alter date and time settings, adjust anaesthetic dosages and switch anaesthetic agents, according to cyber security firm CyberMDX, which released its findings in partnership with the US Department of Homeland Security on Tuesday.
"Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anaesthesia device parameters," said CISA. "This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks."
GE Healthcare, a US-based provider of healthcare products, told the BBC that there was no "direct patient risk". However, according to CyberMDX, the devices can be remotely controlled if simply left connected to a hospital's network.
The affected machines include the GE Aestiva and Aespire versions 7100 and 7900. Nottingham University Hospitals (NUH) confirmed to the BBC that "a small number" of the vulnerable devices were active in its hospitals, but are in the process of being phased out.
"None of the anaesthetic machines are connected to the internet or the NUH network so there is very little risk around these machines within NUH," a spokesman added.
Anaesthesiologists usually operate under strict rules requiring them to accurately log procedures, dosages and vital signs, among other things. The devices are fitted with network capabilities so that specialists can get accurate readings from the machine, including its status and actions, relying heavily on date and time measurements.
GE has offered some suggestions regarding mitigation strategies, including the use of secure terminal servers which provide strong encryption, VPN and other features to prevent attackers from accessing devices.
It also suggests that organisations should employ industry best practices, including secure deployment measures such as network segmentation, VLANs and device isolation, to enhance existing security measures.
The Department of Homeland Security has also recommended minimising network exposure to all devices which should be secured behind firewalls. Echoing GE, it said equipment should be isolated wherever possible and unnecessary accounts protocols and services should be disabled.
"While the Aestiva and Aespire devices are highlighted specifically in this research, these types of vulnerabilities are fairly common in medical devices," said Rikke Kuipers, senior manager, Defensics at Synopsys. "Implementing network protocols correctly and securely is challenging, but it is especially important to do so when they are used in life- or safety-critical systems like medical devices."
The case is eerily similar to the Johnson & Johnson case exposed in 2016 which involved hackers being able to remotely control the doses given in hospital insulin pumps, potentially having fatal consequences.
Experts said at the time that the vulnerability exploited poor encryption standards in the device and the company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.
-
Cisco takes aim at AI security at RSAC with ServiceNow partnershipNews The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
Why veterans can excel in data centers – and could help the IT sector address its skill shortagesIn-depth Ex-military workers can bring software and hardware to civilian roles
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to successNews Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
T-Mobile security chief insists its defenses stood up to attacks linked to Salt TyphoonNews No T-Mobile customers or services were affected after its security teams detected suspicious activity on their routers
-
Securing your network in every direction with zero trustWhitepaper Webinar on the evolution of network security
-
Turning your log and incident data into real-time security insightsWhitepaper Integrate multiple data sources for a comprehensive security view
-
Do more with less: Optimizing servers with HPE to maximize VMware licensingWhitepaper Your trusted guide through the changes in the virtualization market
