Expand / Collapse search
Watch TV
Menu

This material may not be published, broadcast, rewritten, or redistributed. ©2024 FOX News Network, LLC. All rights reserved. Quotes displayed in real-time or delayed by at least 15 minutes. Market data provided by Factset. Powered and implemented by FactSet Digital Solutions. Legal Statement. Mutual Fund and ETF data provided by Refinitiv Lipper.

Hackers

GE anesthesia machines can be exposed to hackers: DHS

By Brooke Crothers Fox News
Published | Updated
close
Fox News Flash top headlines for July 11 Video

Fox News Flash top headlines for July 11

Fox News Flash top headlines for July 11 are here. Check out what's clicking on Foxnews.com

GE anesthesia machines are ripe for tampering, according to a new DHS advisory.

A fresh warning from the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) says the vulnerability could allow an attacker to remotely modify GE Healthcare anesthesia machines.

GE Healthcare is aware of the vulnerability, issuing a statement that says there is “potential ability to modify gas composition parameters...modify device time and silence alarms after the initial audible alarm," according to the GE Healthcare website.

The company added that it conducted a formal internal risk investigation and determined that “there is no introduction of clinical hazard or direct patient risk.”

GE anesthesia machines are ripe for hacking, officials warn. (Fox News)

The devices affected are the GE Aestiva  and Aespire Versions 7100 and GE Aestiva  and Aespire Versions 7900.

But experts are wary. “The real concern when hacking medical devices [is] it only takes one hacked device to hurt or, forbid, kill a patient,” Nadir Izrael, CTO and co-founder of IoT security firm Armis, told Fox News in an email.

The attacks are not about stealing data, he said. “They are about data and device manipulation; whether that is delivering too much anesthesia or stopping a respiratory device,” he said.

And medical devices are especially vulnerable. “Because of the erroneous belief that any medical device on a corporate or secured network is completely safe,” Izrael said, adding that security has become a big challenge for connected medical devices.

Backward compatibility hole

To allow new medical equipment to work with older technology, machines are designed to allow for backward network protocol compatibility, according to a blog post at CyberMDX, a cybersecurity firm.

Russian hackers accessed voter data in two Florida counties Video

That could potentially allow someone to force the machines to revert to earlier, less-secure protocol versions. “When it comes to these GE devices, that means that anyone familiar with the communication protocol can force a revert and send a variety of problematic commands to the machine,” CyberMDX's Jon Rabinowitz wrote in a blog post.

CyberMDX also takes issue with the score the vulnerability received – a Common Vulnerability Scoring System (CVSS) score of v3 5.3, which is considered moderate severity.

The problem is, despite updates to the scoring system, the basic approach to severity assessment has remained static for the last 15 years, wrote Rabinowitz.

“No one was thinking about things like medical device vulnerabilities back then…We need a scale that could measure ‘risk’ more holistically — in terms of both technology and human costs,” he said. "Bottom line, if this vulnerability were to be scored on a more holistic scale for risk, it would be considered critical," he added.