NHS anaesthetic machines vulnerable to hackers

Devices can be remotely controlled to deliver life-threatening anaesthetic doses

A security flaw has been discovered in a number of GE Healthcare devices used by the NHS that could allow hackers to remotely control the amount of anaesthetic delivered to patients.

The remotely exploitable vulnerability requires a "low skill level to exploit" and could enable hackers to silence device alarms, alter date and time settings, adjust anaesthetic dosages and switch anaesthetic agents, according to cyber security firm CyberMDX, which released its findings in partnership with the US Department of Homeland Security on Tuesday.

"Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anaesthesia device parameters," said CISA. "This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks."

GE Healthcare, a US-based provider of healthcare products, told the BBC that there was no "direct patient risk". However, according to CyberMDX, the devices can be remotely controlled if simply left connected to a hospital's network.

The affected machines include the GE Aestiva and Aespire versions 7100 and 7900. Nottingham University Hospitals (NUH) confirmed to the BBC that "a small number" of the vulnerable devices were active in its hospitals, but are in the process of being phased out.

"None of the anaesthetic machines are connected to the internet or the NUH network so there is very little risk around these machines within NUH," a spokesman added.

Anaesthesiologists usually operate under strict rules requiring them to accurately log procedures, dosages and vital signs, among other things. The devices are fitted with network capabilities so that specialists can get accurate readings from the machine, including its status and actions, relying heavily on date and time measurements.

GE has offered some suggestions regarding mitigation strategies, including the use of secure terminal servers which provide strong encryption, VPN and other features to prevent attackers from accessing devices.

It also suggests that organisations should employ industry best practices, including secure deployment measures such as network segmentation, VLANs and device isolation, to enhance existing security measures.

The Department of Homeland Security has also recommended minimising network exposure to all devices which should be secured behind firewalls. Echoing GE, it said equipment should be isolated wherever possible and unnecessary accounts protocols and services should be disabled.

"While the Aestiva and Aespire devices are highlighted specifically in this research, these types of vulnerabilities are fairly common in medical devices," said Rikke Kuipers, senior manager, Defensics at Synopsys. "Implementing network protocols correctly and securely is challenging, but it is especially important to do so when they are used in life- or safety-critical systems like medical devices."

The case is eerily similar to the Johnson & Johnson case exposed in 2016 which involved hackers being able to remotely control the doses given in hospital insulin pumps, potentially having fatal consequences.

Experts said at the time that the vulnerability exploited poor encryption standards in the device and the company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020