Infusion Pump Vulnerabilities Point to Gaps in Medical Device Security

August 27, 2021 - Vulnerabilities in two types of B. Braun infusion pumps could allow hackers to deliver double doses of medications to unsuspecting patients, exposing significant challenges to medical device security, McAfee researchers revealed in a recent disclosure report.

McAfee Advanced Threat Research (ATR), along with medical cybersecurity company Culinda, found five previously unknown vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation. The vulnerabilities could allow bad actors to infiltrate the devices. Both infusion pumps are designed for use in adult and pediatric medical facilities.

McAfee first notified B. Braun of the vulnerabilities on January 11, 2021, and worked with the company to adopt its suggested safeguards. ATR’s newly released disclosure report provided a detailed technical view into each of the five vulnerabilities and the widespread implications for medical device security.

Infusion pumps automate medication and nutrient delivery in controlled amounts. They are widely used in a variety of care settings and are particularly convenient for delivering precise and critical medication doses.

The US Food and Drug Administration (FDA) is aware of significant risks that infusion pumps pose. As helpful as the devices can be, one technological misstep could result in devastating consequences for patients.

“From 2005 through 2009, FDA received approximately 56,000 reports of adverse events associated with the use of infusion pumps, including numerous injuries and deaths,”  the Food and Drug Administration’s (FDA) website states.

“Although some adverse events may be the result of user error, many of the reported events are related to deficiencies in device design and engineering, which can either create problems themselves or contribute to user error.”

In 2010, the agency launched the Infusion Pump Improvement Initiative, aimed at addressing and mitigating safety risks. The initiative was created with the goal of establishing requirements for infusion pump manufacturers, facilitating device improvements, and increasing user awareness.

Theoretically, hackers could remotely modify the amount of medication a patient will receive. The incident would likely be attributed to a device malfunction, making it easier for hackers to dispense lethal doses. It is crucial to note that no known healthcare providers have reported an incident like this, but the fact the possibility has implications for medical device security.

“The ability to remotely manipulate medical equipment undetected, with potential for patient harm, is effectively weaponizing these point of care devices,” Shaun Nordeck, MD, an interventional radiologist at University of Texas Southwestern, told ATR in the disclosure report.

“This is a scenario previously only plausible in Hollywood, yet now confirmed to be a real attack vector on a critical piece of equipment we use daily. The ransomware attacks that have targeted our industry rely on vulnerabilities just like these; and is exactly why this research is critical to understanding and thwarting attacks proactively.”

Ransomware attacks are the most common cyber threat in healthcare at the moment, but health systems are swiftly adopting new cybersecurity safeguards to make their systems impenetrable. As a result, hackers will soon have to find innovative new ways of accessing hospital networks.

In an accompanying blog post, ATR relayed B. Braun’s statement on the findings:

In May 2021, B. Braun Medical Inc. disclosed information to customers and the Health Information Sharing & Analysis Center (H-ISAC) that addressed the potential vulnerabilities raised in McAfee’s report, which were tied to a small number of devices utilizing older versions of B. Braun software. Our disclosure included clear mitigation steps for impacted customers, including the instructions necessary to receive the patch to eliminate material vulnerabilities.

Braun has not received any reports of exploitation or incidents associated with these vulnerabilities in a customer environment.

The McAfee report noted that the newest version of B. Braun’s infusion pump removes the initial network vector of the attack chain. However, a hacker could easily find another network-based vulnerability to use as a workaround.

“Additionally, the vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation,” the blog post concluded.

“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation.”