Researchers have discovered a vulnerability that could allow an attacker to send remote commands that will interfere with the device’s normal working order in the protocol of in-hospital anesthesia devices, GE Aestiva and GE Aespire (models 7100 and 7900), according to the US Department of Homeland Security's Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT).
Discovered by CyberMDX, the vulnerability was given a moderate severity CVSS of 5.3 because an attacker could “impair respirator functionality, changing the composition of aspirated gases — silencing alarms and altering time/date.”
In a statement, GE Healthcare said it was aware of the vulnerability and had conducted a formal internal risk investigation.
Based on the findings of the investigation, GE Healthcare concluded, “the potential ability to remotely modify GE Healthcare anesthesia device parameters is an effect resulting from a configuration exposure through certain insufficiently secured terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks; while the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm; and the potential ability to modify GE Healthcare anesthesia device parameters or silence alarms does not demonstrate a vulnerability of the GE Healthcare anesthesia device functionality itself.”
However, GE’s response of “testing maximum variation in parameter modification” doesn’t sit well with Deral Heiland, Internet of Things research lead at Rapid7.
“It makes me wonder what level of control can be conducted over the network against the anesthesia and respiratory machines,” Heiland said. “My first thought is, if the device can accept commands over the network without authentication, then that would be a critical risk. Either way medical facilities should always maintain segmentation of their critical care networks from exposure and this may help mitigate many known and unknown risks.”