Researchers have discovered a vulnerability that can be used to hack some of GE Healthcare’s hospital anesthesia devices, but the vendor says it does not pose a direct risk to patients [update at the end].
The flaw, tracked as CVE-2019-10966, was discovered by CyberMDX, a research and analysis company specializing in medical device security. According to the company, an attacker who has access to a hospital’s network can force some GE Aestiva and Aespire anesthesia devices (versions 7100 and 7900) — if they are connected through terminal servers — to use an earlier and less secure version of the communication protocol.
This allows the attacker to modify parameters, including to manipulate the concentration of oxygen, CO2, N2O, and anesthetic agents supplied by the machine, change barometric pressure settings and anesthetic agent type selection, alter the device’s date and time settings, and silence alarms designed to alert medical staff of a problem.
The U.S. Department of Homeland Security has published a security advisory covering this vulnerability through its National Cybersecurity & Communications Integration Center.
The attack involves sending specially crafted requests to the targeted machine over the network and it does not require any user interaction or knowledge of the device’s IP address, CyberMDX says.
“The attack could lead to unauthorized gas composition adjustments (altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents), barometric pressure and anesthetic agent manipulations, alarm silencing, and out-of-process changes to date and time settings. If exploited, this vulnerability could directly impact the integrity, confidentiality, and availability of device components, while placing the patient at risk,” reads a press release from the company.
Elad Luz, head of research at CyberMDX, has pointed out that modifying date and time settings can also have serious consequences.
“Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That’s a very serious problem for any medical center,” Luz explained.
A CVSS score of 5.3 has been assigned to this vulnerability, which makes it “medium severity,” but Luz told SecurityWeek that this score does not accurately represent the potential for harm as it focuses on the potential system compromise and not human impact.
“In the case of this vulnerability, the system compromise is somewhat limited — lacking, for example, the ability to load any malicious content onto the machine; but the human impact could potentially be significant — for example, with the ability to silence alarms that might require immediate intervention,” Luz said, adding, “This really touches on a larger issue in the industry that there is currently no scoring system designed to express the potential for human impact.”
Luz has admitted that the likelihood of exploitation in the real world is relatively low, noting, “there aren’t a lot of hackers looking specifically to break into anaesthesia machines.”
GE Healthcare, on the other hand, says the vulnerability is not in the anesthesia device itself and is rather an issue of terminal servers not being configured properly.
The company has admitted that alarms can be silenced, but says there is still an initial audible alarm before it’s silenced by the exploit and the physician would still see visual indicators of the alarm.
Furthermore, the vendor says the vulnerability does not allow access to any sensitive data and it does not introduce any clinical hazard or direct patient risk.
“While the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm,” GE Healthcare said in its advisory.
CyberMDX recently also disclosed two potentially serious vulnerabilities affecting infusion therapy products from medical technology firm BD.
UPDATE 08/07/2019. TechCrunch noticed that GE updated its advisory to say that the vulnerability does post a risk to patients. The advisory now includes the following:
Although extremely improbable, an insufficiently secured terminal server may provide an opportunity for a malicious actor that has already penetrated the hospital network to send fraudulent flow sensor correction parameters to certain products (see table). A terminal server is an accessory that can be obtained from a third-party supplier (non-GE Healthcare) outside of the standard product configuration. If fraudulent flow sensor correction parameters are sent, the flow sensor calibration could be impacted and cause over-delivery of tidal volume to a patient if Volume Control ventilation is being used. Over-delivery of tidal volume could in rare cases theoretically lead to an increased risk of lung injury. In addition, under-delivery could theoretically occur and cause too little total volume of gas to be delivered. If this were to occur without normal clinical intervention, there could theoretically be compromise of patient oxygenation or ventilation.
Related: Some Medtronic Insulin Pumps Vulnerable to Hacker Attacks
Related: Siemens Medical Products Affected by Wormable Windows Flaw