Cybersecurity firm CyberMDX has reported the discovery of a security flaw in some internet-connected GE Healthcare anaesthetic machines which could leave them vulnerable to hacks.
The security flaw has been described as the exposure of the configuration of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks. This could potentially mean when the devices are connected to the internet, they could be remotely targeted by hackers who could modify the parameters of the anaesthesia devices. According to CyberMDX, this means hackers could silence device alarms and even adjust anaesthetic dosages or switch anaesthetic agents.
Johnson & Johnson
The threat discovered in GE Healthcare anaesthetic devices may not sound too unlikely when you consider that, back in October, a security vulnerability was discovered in one of Johnson & Johnson’s insulin pumps (the Animas OneTouch Ping insulin pump) that a hacker could exploit to overdose diabetic patients with insulin. Even though the company described the risk as “extremely low”, it still led them to take the precaution of sending letters outlining the problem to 114,000 people, doctors and patients, who used the device in the US and Canada.
The affected GE Healthcare anaesthetic machines are reported to include Aestiva and Aespire versions 7100 and 7900. It has been reported some are used in NHS hospitals.
Some of the suggestions offered by GE in response to reports of the possible vulnerability (which may not be exclusive to just GE machines) are for hospitals/users to use secure terminal servers with strong encryption and to use a VPN and other features to protect against hacks.
Also, GE suggests organisations should use industry best practices and secure deployment measures e.g. network segmentation, VLANs and device isolation.
What does this mean for your business?
Where any device has an internet connection, e.g. IoT devices, there is now a risk of a possible attack but the fact these are medical machines which could lead to serious human consequences if remote hackers were able to tamper with them makes this story all the more alarming.
If, as GE and the US Department of Homeland Security have pointed out, all equipment is correctly isolated wherever possible, unnecessary accounts, protocols and services are disabled, and best practice is followed, the risk should be very low indeed.
This story does, however, highlight how all businesses and organisations should take the security of smart/IoT devices seriously particularly where there could be a clear human risk.