GE anesthesia machines are ripe for tampering, according to a new DHS advisory.
A fresh warning from the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) says the vulnerability could allow an attacker to remotely modify GE Healthcare anesthesia machines.
GE Healthcare is aware of the vulnerability, issuing a statement that says there is “potential ability to modify gas composition parameters...modify device time and silence alarms after the initial audible alarm," according to the GE Healthcare website.
The company added that it conducted a formal internal risk investigation and determined that “there is no introduction of clinical hazard or direct patient risk.”
The devices affected are the GE Aestiva and Aespire Versions 7100 and GE Aestiva and Aespire Versions 7900.
But experts are wary. “The real concern when hacking medical devices [is] it only takes one hacked device to hurt or, forbid, kill a patient,” Nadir Izrael, CTO and co-founder of IoT security firm Armis, told Fox News in an email.
The attacks are not about stealing data, he said. “They are about data and device manipulation; whether that is delivering too much anesthesia or stopping a respiratory device,” he said.
And medical devices are especially vulnerable. “Because of the erroneous belief that any medical device on a corporate or secured network is completely safe,” Izrael said, adding that security has become a big challenge for connected medical devices.
Backward compatibility hole
To allow new medical equipment to work with older technology, machines are designed to allow for backward network protocol compatibility, according to a blog post at CyberMDX, a cybersecurity firm.
That could potentially allow someone to force the machines to revert to earlier, less-secure protocol versions. “When it comes to these GE devices, that means that anyone familiar with the communication protocol can force a revert and send a variety of problematic commands to the machine,” CyberMDX's Jon Rabinowitz wrote in a blog post.
CyberMDX also takes issue with the score the vulnerability received – a Common Vulnerability Scoring System (CVSS) score of v3 5.3, which is considered moderate severity.
The problem is, despite updates to the scoring system, the basic approach to severity assessment has remained static for the last 15 years, wrote Rabinowitz.
“No one was thinking about things like medical device vulnerabilities back then…We need a scale that could measure ‘risk’ more holistically — in terms of both technology and human costs,” he said. "Bottom line, if this vulnerability were to be scored on a more holistic scale for risk, it would be considered critical," he added.