GE Healthcare anesthesia and respiratory medical devices have a firmware vulnerability that could endanger patients by enabling a remote attacker to silence device alarms, alter time and date records, and change the gas composition.

This was the warning issued July 9 by the Department of Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT).

Discovered by CyberMDX, the vulnerability is in the firmware for GE Healthcare Aestiva and Aespire devices (models 7100 and 7900).

“A vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms,” the advisory explained.

If a remote attacker could gain access to the hospital’s network and if the vulnerable devices are connected to a terminal server, the attacker could gain access to the device without prior knowledge of IP addresses or the location of the devices, according to a CyberMDX release.

This could result in the attacker altering the concentration of inspired/expired oxygen, carbon dioxide, nitrous oxide, and anesthetic agents as well as taking other actions that could undermine the confidentiality, integrity, and availability of the devices, the release noted.

“The vulnerability enables an attacker to set the parameters of these machines remotely from the network with no authentication required,” said Elad Luz, head of research at CyberMDX. Luz reported the vulnerability to the company and to the National Cybersecurity and Communications Integration Center (NCCIC).

“All the attacker needs to know is the commands the machine accepts. These commands are there by design. An attacker needs to know about them and what they look like. It’s enough for the attacker to send the commands over the network to the machine,” Luz told HITInfrastructure.com.

“It would take some research on the protocols of the machine to know which commands it accepts. After that, one can make a tool that can easily be used by others,” Luz said.

The CyberMDX researcher said that exploitation of the vulnerability could cause problems for anesthesiologists.

“Anesthesiologists connect machines to the network in order to document the process, such as when they started, vital signs of the patient, and the gases and concentrations they used. The machine does it automatically. That is why before surgery they make sure the machine is connected and reporting to the hospital’s database. And that is why the accuracy of the data and time matters,” he said.

Luz said he was surprised at the CVSS score of 5.3 (moderate severity) for this vulnerability, CVE-2019-10966. He chocked it up to the fact that the CVSS scoring system does not consider the risk that vulnerabilities in medical devices pose to patient safety.

“For software on a PC or an app on a mobile device, remotely changing the parameters of software or an app may not count as severe. But in cases where you have critical devices that have one purpose, such as an anesthesia device, the impact of changing parameters could be severe. CVSS is not adapted to medical devices and does not consider the possible patient harm,” Luz observed.

GE ADVISES ORGANIZATIONS TO USE TERMINAL SERVERS

To mitigate the vulnerability, GE Healthcare recommended that organizations use terminal servers when connected the device serial ports to the networks. Secure terminal servers provide strong encryption, virtual private networks, authentication of users, network controls, logging, audit capability, and secure device configuration and management options.

The company advised organizations to use best practices for terminal servers that include governance, management, and secure deployment measures such as network segmentation, virtual local area networks, and device isolation to enhance existing security measures.

NCCIC recommends users take measures to minimize the risk posed by the vulnerability, including:

“NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” the ICS-CERT advisory concluded.

Originally published in HIT Infrastructure by Fred Donovan on July 10, 2019.