GE Healthcare insists anaesthesia machines used by NHS pose ‘no direct patient risk’

The health tech giant has advised not to connect its devices to a network in order to avoid hacking attacks.
By Tammy Lovell
03:31 AM
Cybersecurity

GE Healthcare says its anaesthetic machines pose no patient risk, after concerns that the devices could be tampered with by hackers.

Cybersecurity firm, CyberMDX, flagged a vulnerability related to the GE Aestiva and GE Aespire 7100 and 7900 devices, that could allow hackers to alter the amount of anaesthetic delivered to patients and silence alarms which indicate danger.

According to researchers, if a machine was connected to a hospital’s networks via terminal servers, an attacker could remotely modify its parameters by forcing the device to revert to a less secure version of the communication protocol.

But Hannah Huntly, global external affairs manager for GE Healthcare, said its investigation found there was no clinical hazard or direct patient risk.

“There is no vulnerability with the anaesthesia device itself, and we generally recommend that anaesthesia devices not be connected to a network,” she said.

The Royal College of Anaesthetists (RCoA) also stated there was no reason to panic over use of the devices.

“In the unlikely situation where hacking of a single device may take place, patients should be reassured that their anaesthetist will be monitoring them constantly and will have received many years of training to rectify immediately the situation of a device failure,” said RCoA council member, Dr Helgi Johansson.

WHY IT MATTERS

Fears were raised that patients could be put at risk in NHS hospital trusts using the devices.  

“We’re currently assessing the volume of these particular anaesthetic machines in use across England and will be sharing any subsequent advice with trusts in the coming days,” an NHS Digital spokesperson said.

The Medicines and Healthcare products Regulatory Agency said it is working with the manufacturer and the Association of Anaesthetists of Great Britain and Ireland, to establish the effects of any vulnerability.

THE LARGER TREND

In May 2017 the WannaCry ransomware attack severely disrupted more than 80 NHS hospital trusts causing 19,000 patient appointments to be cancelled.

A recent report by the Institute of Global Health Innovation at Imperial College London, led by Lord Ara Darzi, called for investment in cyber-security to be prioritised to prevent the NHS being a “vulnerable target” for hackers.

ON THE RECORD

Axel Wirth, distinguished healthcare architect at US software company, Symantec Corporation, told Healthcare IT News: “Although a vulnerability may be exploitable when I have the device in front of me with full access to it, it doesn’t mean that under normal use an attacker could execute the same attack.

“I don’t want to downplay the problem - medical device cybersecurity is an issue that has been ignored too long, but I also don’t think we need to panic. I advise proceeding with a sense of urgency, yet in a planned and coordinated approach.”