NHS anaesthetic machines vulnerable to hackers

Devices can be remotely controlled to deliver life-threatening anaesthetic doses

A security flaw has been discovered in a number of GE Healthcare devices used by the NHS that could allow hackers to remotely control the amount of anaesthetic delivered to patients.

The remotely exploitable vulnerability requires a "low skill level to exploit" and could enable hackers to silence device alarms, alter date and time settings, adjust anaesthetic dosages and switch anaesthetic agents, according to cyber security firm CyberMDX, which released its findings in partnership with the US Department of Homeland Security on Tuesday.

Advertisement - Article continues below

"Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anaesthesia device parameters," said CISA. "This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks."

GE Healthcare, a US-based provider of healthcare products, told the BBC that there was no "direct patient risk". However, according to CyberMDX, the devices can be remotely controlled if simply left connected to a hospital's network.

The affected machines include the GE Aestiva and Aespire versions 7100 and 7900. Nottingham University Hospitals (NUH) confirmed to the BBC that "a small number" of the vulnerable devices were active in its hospitals, but are in the process of being phased out.

Advertisement
Advertisement - Article continues below

"None of the anaesthetic machines are connected to the internet or the NUH network so there is very little risk around these machines within NUH," a spokesman added.

Advertisement - Article continues below

Anaesthesiologists usually operate under strict rules requiring them to accurately log procedures, dosages and vital signs, among other things. The devices are fitted with network capabilities so that specialists can get accurate readings from the machine, including its status and actions, relying heavily on date and time measurements.

GE has offered some suggestions regarding mitigation strategies, including the use of secure terminal servers which provide strong encryption, VPN and other features to prevent attackers from accessing devices.

It also suggests that organisations should employ industry best practices, including secure deployment measures such as network segmentation, VLANs and device isolation, to enhance existing security measures.

The Department of Homeland Security has also recommended minimising network exposure to all devices which should be secured behind firewalls. Echoing GE, it said equipment should be isolated wherever possible and unnecessary accounts protocols and services should be disabled.

"While the Aestiva and Aespire devices are highlighted specifically in this research, these types of vulnerabilities are fairly common in medical devices," said Rikke Kuipers, senior manager, Defensics at Synopsys. "Implementing network protocols correctly and securely is challenging, but it is especially important to do so when they are used in life- or safety-critical systems like medical devices."

Advertisement - Article continues below

The case is eerily similar to the Johnson & Johnson case exposed in 2016 which involved hackers being able to remotely control the doses given in hospital insulin pumps, potentially having fatal consequences.

Experts said at the time that the vulnerability exploited poor encryption standards in the device and the company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Advertisement
Advertisement

Recommended

Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
Visit/security/internet-security/355228/mozilla-fixes-two-firefox-zero-days-being-actively-exploited
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020