Some critical hospital devices can be remotely tampered with

10 Jul 2019

Image: © romaset/Stock.adobe.com

Security researchers have discovered an exploit in popular critical hospital devices that could allow someone to tamper with them remotely.

Researchers at a healthcare security research firm called CyberMDX have discovered an exploit that could put patient safety at risk if exploited. According to TechCrunch, the protocol commonly used in General Electric’s (GE) anaesthesia and respiratory devices would allow someone outside a hospital to send commands and alter their settings.

This would include silencing alarms, altering records and even changing how much air or anaesthetic is administered. All that would be required is for the devices to be hooked into the hospital’s terminal server. It was described by the US Department of Homeland Security as a flaw that requires “low skill level” to exploit.

CyberMDX said the vulnerability affected the GE Aestive and GE Aespire machines, versions 7100 and 7900 respectively, and was first discovered in October of last year. Several field tests with the devices confirmed the vulnerability but the researchers added that they only silenced the alarm as they feared of “long-lasting consequences” if they tried to adjust the levels of anaesthetic or oxygen in a hospital setting.

Scenario does not introduce ‘direct patient risk’

One of the command exploits forces the devices to revert to an older version. This was built into devices in order to facilitate backwards compatibility. However, none of the commands discovered required any kind of authentication.

“On every version, you can first send a command to request to change the protocol version to the earliest one, and then send a request to change gas composition,” Elad Luz, CyberMXD’s head of research, told TechCrunch.

“As long as the device is ported to the network through a terminal server, anyone familiar with the communication protocol can force a revert and send a variety of illegitimate commands to the machine.”

In response, a GE spokesperson told TechCrunch that after its own investigation it has “determined that this potential implementation scenario does not introduce clinical hazard or direct patient risk and there is no vulnerability with the anaesthesia device itself”.

This assessment, it added, was based on international healthcare safety standards. It said that the ability to modify the devices’ gas composition has not been available in its equipment for the past decade.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com