Wireless syringe infusion pumps vulnerable to cyber-attacks

The US Department of Homeland Security issues warning over the devices, which it says could be hacked.

Smiths Medical’s Medfusion 4000 wireless syringe infusion pump is the subject of the advisory, which comes from the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The advisory highlights eight cybersecurity vulnerabilities, which, according to ICS-CERT, would require an attacker with ‘high skill’ to exploit.

Syringe infusion pumps deliver medications in acute settings. Increasingly medical devices are being equipped with wireless connectivity, allowing them to access IT systems in hospitals and surgeries.

The eight vulnerabilities include the fact that the FTP server on the pump does not require authentication if the pump is configured to allow FTP connections. The advisory also says that the pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.

The advisory warns that "Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.

"Impact to individual organisations depends on many factors that are unique to each organisation. ICS-CERT recommends that organisations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage."

Gordon Morrison, director of government relations at IT security firm McAfee said:  

"IT and security professionals in healthcare organisations are facing unprecedented pressure – from an increase in demand and complexity of services, to the threat of legacy IT and a number of new compliance issues like GDPR and the Information governance toolkit. Alongside these challenges, hospitals are going through immense digital transformation, with new connected medical devices being introduced to improve the doctor and patient experience.

"However, we’ve seen that despite the massive potential of the healthcare Internet of Things, a number of these devices are vulnerable to hacking – putting both hospital networks and the patients themselves at risk. It is essential to ensure these devices are not introduced at the expense of the safety of the patient and their data.

"Achieving this will be twofold: ensuring that the devices are built securely by design and with the necessary security controls in place; as well as a security policy for connected devices in hospitals, to ensure that they can’t access sensitive data and are regularly patched against newly-discovered vulnerabilities."

According to the Smiths Medical website, the Medfusion 4000 permits wireless connectivity to a server which enables reprogramming without physical handling of the pumps, as well as permitting drug library updates.

Smiths Medical also claims that the syringe pump is "always in "medication safety" status from the moment you power up the pump, helping to promote your facility's policies and procedures for medication administration".

In response to the advisory, the medical device maker published a letter addressed to 'valued customers', which stated that the risk of such an attack is "highly unlikely, as it requires a complex and an unlikely series of conditions".

The statement also confirms that the group has engaged with the FDA Center for Devices and Radiological Health as well as ICS-CERT to resolve the issue. Plans are in place for a software security update which will be rolled out in January 2018.

In 2015, the FDA warned hospitals against using Hospira’s Symbiq Infusion systems because of its ability to be hacked. The FDA, as well as the DHS, The FDA cited research from independent cyber security expert Billy Rios who concluded that patients could be at risk of remote attacks by someone accessing the hospital network. He highlighted the ease with which hackers could log in to a device without a username or password, allowing them to operate the device and change its settings.