According to IT security audits specialists, a machine to supply anesthesia widely used by hospitals around the world is vulnerable to hacker attacks and can be controlled remotely through a hospital’s computer network.
A successful attack could reportedly change the amount of anesthesia administered to a patient, which could have fatal consequences. In addition, experts say that it is possible to silence the alarms present in these devices, which serve to stop anesthetists from stopping their work in the face of any possible anomalies.
GE Healthcare, the manufacturer of these devices, claims that there are no direct risks to patients. However, IT security audits experts at the research firm CyberMDX say threat actors could attack Aespire and Aestiva 7100 and 7900 devices if exposed on hospital facility’s computer network.
As mentioned by UK Nottingham University Hospitals, the compromised machines are present in many of the country’s hospitals, although their use has been sought to decrease, changing to other newer models. “None of the machines we use in Nottingham University Hospitals are connected to the Internet or our internal network, so the risk of exploitation of these faults is really low,” a spokesman said.
On the other hand, Elad Luz, IT security audits specialist, says hundreds of hospitals in the United States and parts of Asia use vulnerable devices.
GE Healthcare maintains its position, stating that this attack vector poses no clinical risk to patients. “Anesthetists must operate the device manually, there is no way for a professional to exceed the correct dose,” the company said in a statement.
As reported, the company will not release update patches for the software of these devices, although it asks the hospitals that use them to implement a safe-use protocol to keep their patients completely safe.
According to experts from the International Institute of Cyber Security (IICS), although there are no known cases of exploitation, the National Homeland Security’s Cyber Emergency Response Team (ICS-CERT) has already issued a security alert on these flaws.