Cybersecurity: Now an anesthesia machine problem

July 30, 2019

As if we didn’t already have enough to worry about, now faceless hackers can possibly take control of our anesthesia machines!  In a scenario which sounds like it was dreamed up by a novelist, The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning saying that certain GE Healthcare anesthesia machines have the ability to be hacked remotely, according to an article written in Fox News.  

The specific devices GE Aestiva and Aespire Versions 7100 and 7900 can apparently be hacked not to steal data but to alter the amount of anesthetic agent delivered or stop a respiratory device. The article notes that the devices received a vulnerability score of v3 5.3, or moderate severity.  Jon Rabinowitz of CyberMDX takes issue with the rating. He notes that when these devices were first being designed cybersecurity and cyberhacking were not vulnerabilities that were being focused on, and that the scoring system does not account for the potential patient risk. If adjusted for these factors he feels the GE machine vulnerability should be scored as critical.  GE Healthcare also issued a statement acknowledging that there is a potential to hack the devices however, after conducting an internal risk investigation determined there was no clinical hazard or direct patient risk.