NHS anaesthetic machines vulnerable to hackers

Devices can be remotely controlled to deliver life-threatening anaesthetic doses

A security flaw has been discovered in a number of GE Healthcare devices used by the NHS that could allow hackers to remotely control the amount of anaesthetic delivered to patients.

The remotely exploitable vulnerability requires a "low skill level to exploit" and could enable hackers to silence device alarms, alter date and time settings, adjust anaesthetic dosages and switch anaesthetic agents, according to cyber security firm CyberMDX, which released its findings in partnership with the US Department of Homeland Security on Tuesday.

"Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anaesthesia device parameters," said CISA. "This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks."

GE Healthcare, a US-based provider of healthcare products, told the BBC that there was no "direct patient risk". However, according to CyberMDX, the devices can be remotely controlled if simply left connected to a hospital's network.

The affected machines include the GE Aestiva and Aespire versions 7100 and 7900. Nottingham University Hospitals (NUH) confirmed to the BBC that "a small number" of the vulnerable devices were active in its hospitals, but are in the process of being phased out.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"None of the anaesthetic machines are connected to the internet or the NUH network so there is very little risk around these machines within NUH," a spokesman added.

Anaesthesiologists usually operate under strict rules requiring them to accurately log procedures, dosages and vital signs, among other things. The devices are fitted with network capabilities so that specialists can get accurate readings from the machine, including its status and actions, relying heavily on date and time measurements.

GE has offered some suggestions regarding mitigation strategies, including the use of secure terminal servers which provide strong encryption, VPN and other features to prevent attackers from accessing devices.

It also suggests that organisations should employ industry best practices, including secure deployment measures such as network segmentation, VLANs and device isolation, to enhance existing security measures.

The Department of Homeland Security has also recommended minimising network exposure to all devices which should be secured behind firewalls. Echoing GE, it said equipment should be isolated wherever possible and unnecessary accounts protocols and services should be disabled.

Advertisement - Article continues below

"While the Aestiva and Aespire devices are highlighted specifically in this research, these types of vulnerabilities are fairly common in medical devices," said Rikke Kuipers, senior manager, Defensics at Synopsys. "Implementing network protocols correctly and securely is challenging, but it is especially important to do so when they are used in life- or safety-critical systems like medical devices."

The case is eerily similar to the Johnson & Johnson case exposed in 2016 which involved hackers being able to remotely control the doses given in hospital insulin pumps, potentially having fatal consequences.

Experts said at the time that the vulnerability exploited poor encryption standards in the device and the company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019