NHS anaesthetic machines vulnerable to hackers

Devices can be remotely controlled to deliver life-threatening anaesthetic doses

A security flaw has been discovered in a number of GE Healthcare devices used by the NHS that could allow hackers to remotely control the amount of anaesthetic delivered to patients.

The remotely exploitable vulnerability requires a "low skill level to exploit" and could enable hackers to silence device alarms, alter date and time settings, adjust anaesthetic dosages and switch anaesthetic agents, according to cyber security firm CyberMDX, which released its findings in partnership with the US Department of Homeland Security on Tuesday.

Advertisement - Article continues below

"Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anaesthesia device parameters," said CISA. "This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks."

GE Healthcare, a US-based provider of healthcare products, told the BBC that there was no "direct patient risk". However, according to CyberMDX, the devices can be remotely controlled if simply left connected to a hospital's network.

The affected machines include the GE Aestiva and Aespire versions 7100 and 7900. Nottingham University Hospitals (NUH) confirmed to the BBC that "a small number" of the vulnerable devices were active in its hospitals, but are in the process of being phased out.

Advertisement - Article continues below

"None of the anaesthetic machines are connected to the internet or the NUH network so there is very little risk around these machines within NUH," a spokesman added.

Advertisement - Article continues below

Anaesthesiologists usually operate under strict rules requiring them to accurately log procedures, dosages and vital signs, among other things. The devices are fitted with network capabilities so that specialists can get accurate readings from the machine, including its status and actions, relying heavily on date and time measurements.

GE has offered some suggestions regarding mitigation strategies, including the use of secure terminal servers which provide strong encryption, VPN and other features to prevent attackers from accessing devices.

It also suggests that organisations should employ industry best practices, including secure deployment measures such as network segmentation, VLANs and device isolation, to enhance existing security measures.

The Department of Homeland Security has also recommended minimising network exposure to all devices which should be secured behind firewalls. Echoing GE, it said equipment should be isolated wherever possible and unnecessary accounts protocols and services should be disabled.

"While the Aestiva and Aespire devices are highlighted specifically in this research, these types of vulnerabilities are fairly common in medical devices," said Rikke Kuipers, senior manager, Defensics at Synopsys. "Implementing network protocols correctly and securely is challenging, but it is especially important to do so when they are used in life- or safety-critical systems like medical devices."

Advertisement - Article continues below

The case is eerily similar to the Johnson & Johnson case exposed in 2016 which involved hackers being able to remotely control the doses given in hospital insulin pumps, potentially having fatal consequences.

Experts said at the time that the vulnerability exploited poor encryption standards in the device and the company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020