- A medium severity cyber vulnerability has been discovered in hospital anesthesia machines, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said in an advisory Tuesday.
- The issue was found in GE’s Aestiva and Aespire devices by healthcare cybersecurity firm CyberMDX.
- The vulnerability could allow an attacker to impair respirator functionality by silencing alarms, altering time and date records, and changing the composition of aspirated gases, CyberMDX said.
Preventing hackers from exploiting a security vulnerability in a medical device is a top concern for federal officials. Last month, FDA warned patients about a weakness in Medtronic insulin pumps that could allow a hacker to interfere with drug delivery. Medtronic said patients should not connect the device to third-party technologies it has not authorized.
Also in June, the Department of Homeland Security flagged security vulnerabilities in some BD infusion pumps. The company said it had not received any reports of security breaches and advised users to block a client server protocol for sharing access to files.
CyberMDX said its researchers uncovered a vulnerability in the firmware of GE Aestiva and GE Aespire device models 7100 and 7900. Through the vulnerability, remote commands could be sent to interfere with the device.
An attacker could hack the devices without prior knowledge of IP addresses or the location of the machines, CyberMDX said. The hacker need only to gain access to a hospital’s network with the devices connected to a terminal server.
Such an attack could lead to unauthorized gas composition adjustments, manipulating barometric pressure and anesthetic agents, alarm silencing, and changes to date and time settings, placing patients at risk, the company said.
In its ongoing efforts to address cybersecurity risks, FDA plans to convene a Patient Engagement Advisory Committee meeting on Sept. 10 with the aim of creating recommendations on factors the agency and industry should consider when informing the public about cybersecurity risks.
FDA, in its 2018 Medical Device Safety Action Plan, laid out its initiatives to combat cyber threats including requiring manufacturers to build security updates and patch capabilities into products and creating procedures for rapid coordinated disclosure of medical device vulnerabilities.