Heathcare under attack: GE anesthesia machines hackable, 11 m NHS email hacks

News by SC Staff

GE acknowledges vulnerabilities in two of their anesthesia machine models, saying "a malicious party" can potential modify its working and results, while NHS emails have 11m attacks in three years

In the US, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), has listed GE anesthesia machines vulnerable to hacking. The alert came after healthcare cybersecurity company CyberMDX flagged the vulnerabilities in the device.

GE has acknowledged the vulnerability, saying it allows "a malicious party" to potentially modify gas composition parameters, modify device time and silence alarms after the initial audible alarm.

Disturbed slumber

In October 2018, CyberMDX’s research team discovered a vulnerability in GE’s Aestiva and Aespire devices (models 7100 and 7900), said the company. When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine, according to their researchers.

"If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorisation," said the company’s announcement.

The Industrial Control Systems Certification department, USA, issued an alert about the vulnerability 9 July.

"Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters. This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks," said the CISA alert.

The announcement came as GE is spinning off its healthcare business. The company said its internal risk investigation has spotted these vulnerabilities, but itt does not provide access to data and does not introduce clinical hazard or patient risk.

"GE Healthcare recommends organisations use secure terminal servers when choosing to connect GE Healthcare anesthesia device serial ports to TCP/IP networks. Secure terminal servers when correctly configured provide robust security features including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options," it said.

Grave diagnostics

Using IoT devices to capture networks is an established route for malicious actors. Hacking medical devices opens the chance of hurting or even killing a patient.

"Every patient responds differently to anesthetics and close, precise supervision is therefore required," wrote Jon Rabinowitz, marketing VP at CyberMDX. "I’ve been told by anesthesiologists that certain procedures and certain patients — particularly the elderly — can, for example, be extremely sensitivity to oxygen and nitrous oxide levels."

This is the first such vulnerability to be disclosed, but it is really just the tip of the iceberg, he added. SC Media UK this month reported how deficient security monitoring and legacy systems has made the UK’s National Health Service (NHS) a sitting duck for cyber-criminals.

IoT devices running on outdated software provide a porous network for hackers to access. Recent research by Check Point highlighted ultrasound machines as a particularly vulnerable loophole.

The Victorian Auditor General's Office in Australia conducted an audit in May and found out that patient data in Victoria’s public health system resides on a weak, easily-hackable system.

"As more and more services go online, with the widespread use of electronic health records and IoT medical devices, managing digital risks in healthcare is becoming increasingly complex," Chris Miller, UK & Ireland regional director of RSA Security, told SC Media UK, elaborating about the risk.

"But complexity is not an excuse for burying your head in the sand. Some of the errors that the auditors have picked up on here are pretty basic, which suggests that security hasn’t become embedded into these organisations – instead of being treated as a bolt on, or worse, a hurdle," he added.

Ongoing attack

In separate news, it was reported by NHS Digital that cyber- criminals have launched more than 11 million attacks on NHS email systems over the last three years.

The NHSmail infrastructure system is used by more than half a million staff in England and Scotland, and to help is available for use by all organisations commissioned to deliver publicly funded health and social care.

NHS Digital says the mail system has blocked a total of 11,352,000 email attacks over the three-year period.

The highest-ranked attacks were those categorised as IP or domain reputation attacks, of which 6,120,000 were recorded. Next comes anti-spam, with 3,624,000 attacks, and 852,000 anti-virus incidents.

"It’s clear that hackers view the NHS as a top target with growing volumes of email attacks deliberately designed to fool doctors, nurses and other health service workers into handing over confidential data," said Centrify VP Andy Heather in an email to SC Media UK.

"Increasingly we’re seeing cyber-criminals gaining access to private information such as patient records using legitimate log-in details which have been stolen or sold online. All too often this means that malicious activity remains undetected until it’s too late, so it’s vital that hospitals adopt a zero-trust approach to all user activity, ensuring every employee is verified and they are who they say they are."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop