Skip to main content
close search
site logo
Dive Brief

Feds warn of cyber vulnerability in hospital anesthesia machines

Published July 9, 2019
By
Reporter
Getty

Dive Brief: 

  • A medium severity cyber vulnerability has been discovered in hospital anesthesia machines, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said in an advisory Tuesday.
  • The issue was found in GE’s Aestiva and Aespire devices by healthcare cybersecurity firm CyberMDX.
  • The vulnerability could allow an attacker to impair respirator functionality by silencing alarms, altering time and date records, and changing the composition of aspirated gases, CyberMDX said.

Dive Insight:

Preventing hackers from exploiting a security vulnerability in a medical device is a top concern for federal officials. Last month, FDA warned patients about a weakness in Medtronic insulin pumps that could allow a hacker to interfere with drug delivery. Medtronic said patients should not connect the device to third-party technologies it has not authorized.

Also in June, the Department of Homeland Security flagged security vulnerabilities in some BD infusion pumps. The company said it had not received any reports of security breaches and advised users to block a client server protocol for sharing access to files.

CyberMDX said its researchers uncovered a vulnerability in the firmware of GE Aestiva and GE Aespire device models 7100 and 7900. Through the vulnerability, remote commands could be sent to interfere with the device.

An attacker could hack the devices without prior knowledge of IP addresses or the location of the machines, CyberMDX said. The hacker need only to gain access to a hospital’s network with the devices connected to a terminal server.

Such an attack could lead to unauthorized gas composition adjustments, manipulating barometric pressure and anesthetic agents, alarm silencing, and changes to date and time settings, placing patients at risk, the company said.

In its ongoing efforts to address cybersecurity risks, FDA plans to convene a Patient Engagement Advisory Committee meeting on Sept. 10 with the aim of creating recommendations on factors the agency and industry should consider when informing the public about cybersecurity risks.

FDA, in its 2018 Medical Device Safety Action Plan, laid out its initiatives to combat cyber threats including requiring manufacturers to build security updates and patch capabilities into products and creating procedures for rapid coordinated disclosure of medical device vulnerabilities.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell