Over 90 Total Lots Up For Auction at One Location - WA 04/08

CyberMDX research team discovers vulnerability in GE anesthesia and respiratory devices

Press releases may be edited for formatting or style | July 09, 2019 Health IT
New York, NY, July 9, 2019 — A cyber vulnerability has been discovered in hospital anesthesia machines, the US Department of Homeland Security's Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerability, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to impair respirator functionality — silencing alarms, altering time/date records, and changing the composition of aspirated gases.

The CyberMDX research team found this vulnerability in the firmware of GE Aestiva and GE Aespire devices (models 7100 and 7900). Through the vulnerability, remote commands can be sent to interfere with the normal working order of the device.

If a malicious attacker can gain access to a hospital's network and if the GE Aestiva and GE Aespire Devices are connected to a terminal server, the attacker can hack the devices without any prior knowledge of IP addresses or the location of the machines. The attack could lead to unauthorized gas composition adjustments (altering the concentration of inspired/expired oxygen, CO2, N2O and anesthetic agents), manipulating barometric pressure and anesthetic agent manipulations, alarm silencing, and out-of-process changes to date and time settings. If exploited, this vulnerability could directly impact the confidentiality, integrity and availability of device components, while placing patients at risk.
stats
DOTmed text ad

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

stats
The vulnerability was given a CVSS value of 5.3 (reflecting moderate severity) in the ICS-CERT Advisory (ICSMA-19-190-01). The full report can be found at https://www.us-cert.gov/ics/advisories/icsma-19-190-01 .

"The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in a surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That's a very serious problem for any medical center." said Elad Luz, Head of Research at CyberMDX.


About CyberMDX's Cybersecurity Research & Analysis Team
CyberMDX's research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team's researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.


About CyberMDX
A pioneer in medical cyber security, CyberMDX is the company behind the leading IoMT visibility and security solution. CyberMDX identifies, categorizes, and protects connected medical devices — ensuring resiliency as well as patient safety and data privacy. With CyberMDX's continuous endpoint discovery & mapping, comprehensive risk assessment, AI-powered containment & response, and operational analytics, risks are easily mitigated and assets optimized.

You Must Be Logged In To Post A Comment