Last April, researchers sounded the alarm after creating malware capable of manipulating cancer tumor scans. And to highlight the low level of safety of hospital infrastructures. This time, a CyberMDX team, which has made medical cybersecurity its spearhead, is providing additional evidence in this area.
The company discovered a security flaw in the breathing and anesthesia equipment designed by General Electric. The machines in question are called GE Aespire and GE Aestive – versions 7900 and 7100 – and have been deployed in many hospitals and medical centers in the USA, according to a company report.
Is the medical equipment too old?
The company’s spokesperson, Amy Sarosiek, told TechCrunch: “After a formal investigation, we determined that this potential scenario did not involve any clinical or direct risk to the patient and that there was no vulnerability with the anesthesia machine itself,” the report states. A Defense at the very least light in the face of CyberMDX’s report and experiments.
This case once again shows how fragile the medical community seems to be in the face of the risk of a cyber-attack. Sometimes too obsolete, the infrastructures of the medical establishments and suppliers involved struggle to keep up with the times, offering an ideal shooting window for hackers with malicious ideas. The CyberMDX report could, in the future, change the lines: at least that is the objective.
Patient health at stake
More concretely, what are the ins and outs of this breach? In the idea, the attacker must first connect remotely to the network of the targeted hospital. If GE Aestive or GE Aespire devices are connected to this network via the terminal-server communication protocol (which is almost always the case), then the hacker can insert new commands, without any authentication required.
One of the controls in question will play a key role in infiltrating the systems of the machines mentioned above. The hacker can force them to use an earlier version of the protocol, which is less secure. As a result, he is free to add other more dangerous commands, still without any authentication required. The consequences can be severe.
Altering the concentration of gases sucked in by the patient (oxygen, CO2, N2O, and anesthetic agents) and used in the respiratory and anesthesia system is one of the actions envisaged, for example as well as deactivating the alarm, changing the barometric pressure, the types of anaesthetic agents and the date and times that document the operation.
According to the opinion of the United States Department of Homeland Security (DHS) published on Tuesday, July 9, 2019, this maneuver requires a relatively low level of hacking skills. The CyberMDX team has performed several tests – focused on deactivating the alarm – to confirm this vulnerability. General Electric was notified by the researchers at the end of October 2018, without any corrections coming to its attention.