Certain Anesthesia Devices Have Vulnerabilities: ResearchersGE Healthcare Disputes Some of the Findings; Security Experts Weigh In
Authentication vulnerabilities in certain GE Healthcare anesthesia devices could potentially allow remote attackers to meddle with the devices, including modifying gas composition parameters and silencing alarms, researchers say.
As a result of the findings by the research firm CyberMDX that were released on Tuesday, GE Healthcare and the Department of Homeland Security each issued advisories to alert healthcare organizations about the issue and advise them on mitigation steps.
GE Healthcare however, contends that the vulnerabilities identified by CyberMDX are not due to the anesthesia devices. "This potential issue relates to network security and not the product," a company spokeswoman tells Information Security Media Group in a statement.
"We generally recommend that anesthesia devices not be connected to a network. The scenario described in the report requires hospitals to use the equipment in ways that it should not be used," the spokeswoman says.
But some security experts strongly disagree with GE Healthcare's assessment of the problem and its recommendations for mitigation.
The alerts about GE Healthcare's Aestiva and Aespire devices - models 7100 and 7900 - come on the heels of the Food and Drug Administration issuing a warning that another medical device maker, Medtronic was voluntarily recalling certain infusion pump devices due to security issues that cannot be patched (see: Certain Insulin Pumps Recalled Due to Cybersecurity Issues).
"This is another example of the risk that medical devices present from both a cyber and patient safety prospective," says Mark Johnson, a former healthcare CISO and principal at the consulting firm LBMC Information Security.
"Medical devices present such risk that all healthcare providers must do something now. However, addressing this risk will not occur from getting more cyber robust medical devices from the vendors. It's going to take too long for that. Therefore, the only answer is for healthcare providers to segment their networks and protect these vulnerable devices by other means."
CyberMDX says its research team discovered an authentication vulnerability related to the GE Aestiva and GE Aespire devices that potentially could allow an attacker to modify the anesthesia device settings if they are connected via terminal servers. "The attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization," CyberMDX says. "When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine."
CyberMDX says the attack could lead to:
- Unauthorized gas composition input - altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents;
- Manipulation of barometric pressure settings and anesthetic agent type selection;
- Remote silencing of alarms;
- Alteration of date and time settings.
The DHS' Industrial Systems and Controls U.S. Computer Emergency Response Team notes in its alert that the improper authentication vulnerability - which can be potentially exploited by someone with low skill levels - "exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration."
A potential attack involving the vulnerability "could impact the confidentiality, integrity and availability of a component of the system," U.S. CERT says. No known public exploits specifically target this vulnerability, U.S. CERT notes.
In its advisory about the vulnerabilities, GE Healthcare emphasizes unsecure terminal server implementations, rather than any potential weaknesses in its anesthesia devices.
The company says it conducted an internal risk investigation and determined "that while there exists - via certain insufficiently secured terminal server implementations - the potential ability to modify gas composition parameters to correct flow sensor readings for gas density, modify device time and silence alarms after the initial audible alarm, there is no introduction of clinical hazard or direct patient risk."
The GE Healthcare spokeswoman tells ISMG: "We have a comprehensive security approach and continuously monitor the environments we operate in to assess and mitigate risks. We will continue to work with government organizations, healthcare providers and security industry leaders on cyber readiness initiatives that support the safe and effective use of our medical devices and software solutions."
In its advisory, GE Healthcare says it has concluded that:
- The potential ability to remotely modify GE Healthcare anesthesia device parameters results from a configuration exposure through certain insufficiently secured terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks.
- While the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery and do not pose any direct clinical harm.
- The potential ability to modify GE Healthcare anesthesia device parameters or silence alarms does not demonstrate a vulnerability of the GE Healthcare anesthesia device functionality itself.
"Anesthesia devices are qualified as an 'attended device,' and device location is where primary control is maintained by the physician," GE Healthcare says in the advisory.
"While an alarm could potentially be silenced via the insufficiently secured terminal server TCP/IP connection to the GE Healthcare anesthesia device, both audible annunciation of the alarm, and visual signaling of the alarm are presented to the attending clinician at the GE Healthcare anesthesia device interface."
In its advisory, GE Healthcare recommends organizations use "secure terminal servers" when choosing to connect GE Healthcare anesthesia device serial ports to TCP/IP networks.
"Secure terminal servers when correctly configured provide robust security features including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options," GE Healthcare notes.
"GE Healthcare recommends that organizations utilize best practices for terminal servers that include governance, management and secure deployment measures such as network segmentation, VLANs and device isolation to enhance existing security measures."
Not Good Enough?
Elad Luz, the head of research at CyberMDX who identified the vulnerabilities in the anesthesia devices, tells Information Security Media Group that he's not convinced the manufacturer's mitigation recommendations are enough to address the issues he found.
"GE's response was that only secure terminal servers should be used, but it is unclear to me what they mean by that exactly," he says. "It is best practice that medical devices be isolated within a hospital's networks, but the reality is that this is not the case in many hospitals. While using secure terminals will limit the attack surface, it won't fix the root cause of the vulnerability."
"Given a vulnerability like this one, the question is whether hospitals are capable of taking the next step and proactively evaluating all of their instances of terminal servers across all manufacturers. Most simply can't."
—Ben Ransford, Virta Labs
Removing devices from a hospital's network is an unrealistic solution, he adds. "Today's patient care in modern hospitals require connected devices. The vulnerability is actually about lack of authentication and authorization. The requests sent to the device are typical, and the device is designed to support these requests," he says.
"In this case like many others, only a monitoring solution that understands the context of the medical communication inside the hospital can be good enough."
Ben Ransford, president of healthcare cybersecurity firm Virta Labs, offers a similar assessment.
"This class of vulnerabilities, in which a legacy control interface is dragged screaming onto a multitenant network, is common in medical devices and industrial-control systems," he says. "Manufacturers design systems this way so that customers and manufacturer reps can manage devices at hospital scale. But terminal servers are like household plumbing: You don't think about them until something goes dreadfully wrong."
Any device with this kind of interface vulnerability "is just the tip of the iceberg in a hospital," he says. "Given a vulnerability like this one, the question is whether hospitals are capable of taking the next step and proactively evaluating all of their instances of terminal servers across all manufacturers. Most simply can't."
Ransford adds: "Many hospitals will find GE's remediation advice too vague to act on because it boils down to 'use an unspecified good thing instead of the bad thing we may or may not have sent you.' Dealing with ambiguity requires resources that hospitals don't have. Hospitals need specific instructions."
Weak authentication is a common problem in the design of many medical devices that must be addressed, Luz of CyberMDX contends.
"Perhaps it's because simply security wasn't a major consideration when they designed the product, Luz says. "I believe that even when device vendors follow cybersecurity guidelines during the manufacturing process, they must think about post-market deployments as well, and how the device will be used in a dynamic working environment."
So, what do device manufacturers need to improve in the design of firmware?
"I would start with authentication; it is a common and prevalent problem," Luz says. "Then move to encryption; most medical devices out there are still using non-encrypted communication."
Slow, But Steady, Progress?
In a recent interview, Suzanne Schwartz, M.D. of the FDA said that manufacturers and healthcare entities are becoming more proactive in addressing cybersecurity concerns involving many medical devices, but clinicians and patients also need to be more engaged about these issues, as well.
"We continue to make advancements, but we still have a way to go," she says. "Trustworthiness, transparency and resilience" are the cornerstone principles for the medical device ecosystem to advance towards more progress, she says.
On Sept. 10, the FDA will hold its first Patient Engagement Advisory Committee meeting focused on medical device cybersecurity issues.