75% of Infusion Pumps Contain Known Security Gaps, Report Finds

March 02, 2022 - Researchers from Unit 42 analyzed over 200,000 infusion pumps and found known security gaps in 75 percent of them, a recent report revealed. The discovery has grim implications for medical device security.

Unit 42 is Palo Alto Networks’ threat intelligence and security consulting organization. Its researchers set their sights on assessing how well healthcare organizations secure smart infusion pumps, network-connected medical devices that dispense medications and fluids to patients.

In August 2021, McAfee researchers discovered significant vulnerabilities in two types of B. Braun infusion pumps that could potentially allow hackers to deliver lethal doses of medications to unsuspecting patients. No incidents have been reported, but the discovery pointed to significant gaps in medical device security that make these devices easy targets for threat actors.

Unit 42’s analysis found that most infusion pumps contained one or more of 40 known security vulnerabilities and one or more of 70 other types of IoT device vulnerabilities. More than half of analyzed infusion pumps were vulnerable to two extremely high severity vulnerabilities disclosed publicly in 2019.

The most common vulnerabilities observed in infusion pumps fell under the categories of leakage of sensitive information, unauthorized access and overflow, and third-party TCP/IP stack vulnerabilities.

“There is already a vast array of information about known vulnerabilities and approaches for securing these devices, thanks to the efforts of medical equipment makers, security researchers, cybersecurity vendors and regulators who have spent the past decade working to better understand cyber risks associated with use of infusion pumps and other connected medical devices,” the report stated.

Researchers noted the Food and Drug Administration’s (FDA) seven infusion pump recalls from 2021 and nine recalls in 2020. The Healthcare Supply Chain Association (HSCA) recently released guidance for medical device manufacturers regarding cybersecurity and patient privacy. The FDA, MITRE, and the Medical Device Consortium (MDIC) also teamed up to release a playbook for medical device threat monitoring.

“There are also initiatives led by industry and government aimed at standardizing device information and establishing baseline security criteria for manufacturing these devices,” the report continued.

“Yet the average infusion pump has a life of eight to 10 years, which means the widespread use of legacy equipment has hampered efforts to improve security.”

In addition, inadequate network segmentation and failure to implement basic security best practices leave infusion pumps and other medical devices even more vulnerable to exploitation.  

“Our discovery of security gaps in three out of four infusion pumps that we reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks,” the report emphasized.