More medical devices – this time, syringe infusion pumps – have been found to contain vulnerabilities that hackers could use to compromise the safe treatment of patients.
Eight recently discovered vulnerabilities in several widely used syringe infusion pumps could enable hackers to change the dose of medication that a patient receives, according to an advisory notice from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), part of the US Department of Homeland Security.
The flaws were found in the software used on the Medfusion 4000 Wireless Syringe Infusion Pump from Smith Medical. More specifically, it is present in versions 1.1, 1.5 and 1.6 of the software.
These devices are used to deliver small doses of medication in acute care settings. The vulnerabilities, meanwhile, were discovered by independent security researcher Scott Gayou.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” says the advisory.
Updates on their way
It’s worth stressing that no known attacks have been carried out at this stage. According to the advisory, such an attack would require “an attacker with high skill”.
The flaws include the use of hard-coded credentials; passwords stored in the configuration file; improper access control; and improper certificate validation.
The advisory suggests that that healthcare facilities using these devices should conduct a risk assessment to determine whether they should disconnect the pumps from their network until a fix is available.
In a statement, the devices’ manufacturer Smiths Medical said that the possibility of this exploit taking place in a clinical setting is “highly unlikely”, as it requires a complex and an unlikely series of conditions. It is planning to release Version 1.6.1 for the Medfusion 4000 Wireless Syringe Infusion Pump in January 2018.
Patients at risk?
Gordon Morrison, director of government relations at security software company McAfee, told Internet of Business that despite the massive potential of the IoT in healthcare, a large number of medical devices are vulnerable to hacking – putting both hospital networks and patients themselves at risk.
“It is essential to ensure these devices are not introduced at the expense of the safety of the patient and their data,” said Morrison.
Achieving this will be a two-fold process, he added: “Ensuring that the devices are built securely by design and with the necessary security controls in place; [and putting in place] a security policy for connected devices in hospitals, to ensure that they can’t access sensitive data and are regularly patched against newly-discovered vulnerabilities.”