Security researchers revealed that an anaesthetic machine can be hacked and controlled remotely if left accessible on a hospital computer network. Cybersecurity firm CyberMDX discovered a security flaw in a number of GE Healthcare devices used by the National Healthcare Services (NHS) hospitals that could allow hackers to manipulate the amount of anaesthetic delivered to patients.
The company stated the remotely exploitable flaw could enable hackers to silence device alarms, alter the date and time settings, adjust anaesthetic dosages, and switch anaesthetic agents. It’s believed that the Aespire, Aestiva 7100, and 7900 devices could be targeted by hackers if left accessible on hospital computer networks, according to the researchers.
“On July 9, 2019, ICS-CERT disclosed the first vulnerability discovered specifically impacting anesthesia machines. If exploited, the vulnerability would allow an attacker to silence alarms, alter date and time settings, adjust gas composition inputs, change barometric pressure, and switch between anesthetic agents — all without authentication,” CyberMDX said in a stated
“Affecting GE Aestiva and GE Aespire (models 7100 and 7900) machines that are ported to the network via terminal servers, the exploitation chain for this vulnerability is actually quite simple — provided you know your way around the communication protocol that these machines use,” it added.
A recent report revealed that healthcare organizations suffered the highest number of data breaches in 2018 across any sector of the U.S. economy. According to Beazley Breach Response, a breach response management and information security insurance solutions provider, the healthcare entities have reported the highest number of data breaches, at 41 percent.
The report, dubbed as Beazley Breach Insights Report, stated that direct hacking, the presence of malware, or due to human error were the causes of data breaches in healthcare organizations. The report also revealed the percentage of breaches in other sectors of the economy. The education sector accounted for 10 percent of security issues, financial institutions reported 20 percent of incidents, and professional services represent 13 percent of cases.
The cybercriminals are attempting to extort cryptocurrency from companies or individuals claiming to have embarrassing evidence of people using adult websites at work, which are related to extortion, the report added.