- Recently discovered medical device vulnerabilities in infusion pumps could potentially allow a remote attacker to gain unauthorized access, affecting the pump’s intended operation, according to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Independent researcher Scott Gayou found eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump, ICS-CERT reported. Smiths Medical will release a new product version in January 2018 to address the vulnerabilities.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump,” the release stated. “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”
The following infusion pump versions are affected:
- Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1
- Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5
- Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6
ICS-CERT explained that the medical devices “are syringe infusion pumps used to deliver small doses of medication in acute care settings.”
The vulnerabilities could be remotely executed, but ICS-CERT added that an attacker with a high skill level would be able to do so.
“ICS-CERT reminds organizations to perform proper impact analysis and risk assessment by examining their specific clinical use of the pump in the host environment,” the agency said. “NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities.”
Smith Medical also made several recommendations for organizations to take defensive measures in an effort to prevent potential exploitations from taking place.
Users should assign static IP addresses to the Medfusion 4000 Wireless Syringe Infusion Pump and monitor network activity for rogue DNS and DHCP servers.
Re-using passwords could also lead to exploited vulnerabilities. Users should “apply proper password hygiene standards across systems,” Smith Medical warned.
Routine backups and evaluations will also help users, according to the organization.
Smith Medical also listed the following defensive measures for users:
- Ensure network segments which the Medfusion 4000 medical infusion pumps are installed are segmented from other hospital and clinical information technology infrastructure.
- Consider network micro segmentation.
- Consider use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
Earlier this summer, ICS-CERT also reported on identified potential medical device vulnerabilities in medical imaging products.
Siemens identified four vulnerabilities within its Molecular Imaging products running on Windows 7, which are used in clinical environments for diagnostic imaging purposes.
Siemens also cautioned organizations to run the potentially affected devices in a dedicated network segment and protected IT environment. Entities should also disconnect the product from the network, using the device in standalone mode if patient safety and treatment are not at risk.
“Reconnect the product only after the provided patch or remediation is installed on the system,” Siemens said. “Siemens Healthineers is able to patch systems capable of Remote Update Handling (RUH) much faster by remote software distribution compared to onsite visits.”
“Therefore customers of RUH capable equipment are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens Customer Care Center first and then to re-connect their systems in order to receive patches as fast as possible via Remote Update Handling,” the report continued.
Addressing remote access on medical devices was part of the recently announced Medical Device Cybersecurity Act of 2017 (S. 1656). Proposed by Connecticut Senator Richard Blumenthal, the legislation calls for bolstered remote access protections for medical devices in and outside of a hospital.
S. 1656 also aims to create a cyber report card for devices and require that testing be performed before devices are sold, increasing medical device transparency.
“My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks,” Blumental said in a statement. “Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”