Aestiva (anesteziologichesky station)

2019: The Anesteziologichesky stations GE can be configured far off. Patients under the threat

In the middle of July, 2019 in the anesteziologichesky stations GE Aestiva and Aespire Anesthesia which are used in hospitals in all territory of the USA the authentication error was found. Vulnerability of a terminal server allows hackers to configure stations far off and threatens life of patients.

The problem affects the GE Aestiva and Aespire models of versions 7100 and 7900. Because of an authentication error the malefactor can change far off parameters of the vulnerable device and disconnect alarms. Among other things the hacker is capable to change parameters of gas mix, to correct indications of the flow rate sensor of gas and the timer of the device.

Anesteziologichesky station GE Aestiva

The problem concerns a terminal server which connects the anesteziologichesky stations GE Healthcare to TCP/IP networks. Malefactors can get into a system if devices are connected to network through the added unprotected terminal server. The index of danger of 5.3 of 10 as during official assessment of risk researchers came to conclusion that "the clinical danger of direct risk to the patient is absent" was appropriated to vulnerability. GE Healthcare confirmed that software of the device has no vulnerabilities of this sort, and already took measures for prevention of effects. Specialists confirmed that this problem cannot be used for theft of personal data.

Meanwhile health workers are recommended to use the protected terminal servers and to precisely follow instructions at connection of the anesteziologichesky stations GE Healthcare. Safety on the protected terminal servers is ensured due to authentication of users, reliable enciphering, network management, VPN, a possibility of maintaining magazines and audit and also parameters of safe setup and management.^[1]

Notes