According to a cyber-security firm, hackers have the power to break into NHS-owned anaesthetic machines and operate them remotely, if the units are left open on a computer network.
Having obtained access, a cyber-attack could end in hackers being able to alter drug levels being administered to a patient. Machine alerts could also be manipulated, meaning alarms would stay silent in the event of a dangerous situation materialising, CyberMDX said.
While there is no “direct patient risk”, according to GE Healthcare which makes the devices, research conducted by CyberMDX has revealed that hackers could infiltrate Aespire and Aestiva 7100 and 700 if the commonly-used units are left in an accessible state on hospital IT systems.
An NHS spokeswoman said:
“We are currently assessing the volume of these particular anaesthetic machines in use across England and we will be sharing any subsequent advice with trusts in the coming days.”
Research chief at CyberMDX, Elad Luz, outlined his awareness of the machines also being in use across the States and Asia. Meanwhile, GE Healthcare has said it feels a hacking attempt would “not introduce clinical hazard or patient risk,” pointing to how anaesthetists are present to monitor the devices to correct any problems that develop.
Speaking to the BBC, GE Healthcare said that no plans were in place to develop security upgrades for the anaesthetic units, but that healthcare centres and hospitals could improve their own cyber security protocols to boost defences.
Concurring with the need to prevent devices from being left alone and unprotected on IT networks, cyber-security expert, Ken Munro said that isolation was “not, frankly, the case in many hospital networks.”
“GE absolutely have a part to play in this and they absolutely should be building devices with strong security,” Mr Munro said.
Prof Harold Thimbleby is an medical machinery security expert at Swansea University. Speaking to the BBC, Professor Thimbleby said:
“As with WannaCry, a phishing attack can gain access and then an attacker can do what they like. Given the worldwide profile of WannaCry, it is amazing vulnerabilities like this are still around.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/