The vulnerability, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to impair respirator functionality, changing the composition of aspirated gases — silencing alarms, and altering time/date records.

The CyberMDX research team found this vulnerability in the protocol of GE Aestiva and GE Aespire devices (models 7100 and 7900). Through the vulnerability, remote commands can be sent to interfere with the normal working order of the device.

If a malicious attacker can gain access to a hospital’s network and if the GE Aestiva and GE Aespire Devices are connected to a terminal server, the attacker can hack the devices without any prior knowledge of IP addresses or location of the machines. The attack could lead to unauthorized gas composition adjustments (altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents), barometric pressure and anesthetic agent  manipulations,  alarm silencing, and out-of-process changes to date and time settings. If exploited, this vulnerability could directly impact the integrity, confidentiality, and availability of device components, while placing the patient at risk.

“The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That’s a very serious problem for any medical center,” said Elad Luz, Head of Research at CyberMDX.

Source: Company Press Release