Vulnerabilities found in infusion pump firmware

Huge Two-Day Clean Sweep Auction July 24-25th. Click Here to Bid!

Aktueller Standort:
> This Story

Log in oder Register to rate this News Story
Forward Printable StoryPrint Comment




Health IT Homepage

The rise of medical device hacking: How strong is your network security? In Q3 of 2018 alone, 4.4 million medical records were compromised

Patients like the idea of telemedicine, but what about physicians? New study examines U.S. physician interest in telemedicine

Optimizing the EHR user experience Examining how we got here, and the best path to move ahead

FDA gives RaySearch green light for RayStation 8B platform First treatment planning system to offer machine learning applications

The feds want to give consumers more control over their data — are healthcare organizations prepared?

A functional imaging IT contract enhances vendor performance over the long haul Three questions with four experts at SIIM

EHR optimization for increased employee satisfaction What we need from EHRs today is different than what they were built for

CDI best practices: Capturing the true clinical story Improving the quality of the patient health record is a complex undertaking

MedAustron to add health IT to proton and carbon ion treatment facilities Orders more than $13 million worth of RaySearch systems

Blockchain may be the next great thing in healthcare — or not Cutting through the 'mysticism' of blockchain at SIIM

Alaris Gateway Workstation

Vulnerabilities found in infusion pump firmware

by John R. Fischer , Staff Reporter
Becton, Dickinson and Company (BD) has disclosed the discovery of cybersecurity vulnerabilities found within firmware used to manage its Alaris Infusion Pumps.

Discovered by cybersecurity research and analysis team, CyberMDX, the vulnerabilities were found within the Alaris Gateway Workstation (AGW), which provides mounting, power, and communication support to infusion pumps, and the web browser user interface of the AGW.

Story Continues Below Advertisement


Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.

“Ensuring the safety and quality of our products is the top priority at BD, which is why we have a voluntary, proactive vulnerability disclosure process to ensure our customers are aware of any potential vulnerabilities and the compensating controls to mitigate them,” Troy Kirkpatrick, company spokesperson, told HCB News. “In this regard, with respect to the Alaris Gateway disclosure, resulting from a previously disclosed Windows vulnerability affecting the Windows CE operating system, the vulnerability only affects Alaris Gateway Workstations that have not been updated with one of the latest firmware versions.”

While no harm or patient exploitation took place, such risks create the potential for malicious attacks, including ones that disable devices, install malware, report false information, and in extreme cases, manipulate pumps to alter drug dosage and infusion rates.

Following independent testing and validation, BD tested for and confirmed the vulnerabilities itself, and worked with the U.S. Department of Homeland Security (DHS) and CyberMDX to assess the extent of the risk posed. The vulnerability within the Alaris Gateway firmware earned a CVSS (Common Vulnerability Scoring System) critical risk score of 10.0, while the one within the Web Browser User Interface was scored at 7.3. The remote nature and high impact of attack earned the firmware vulnerability a severity score of 10 out of 10.

However, manipulating dose or infusion rates is difficult, and took BD engineers with intimate product knowledge weeks to confirm that such situations were possible. The vulnerabilities also poses no danger to U.S. hospitals and patients since the Alaris Infusion pump is not used there.

“In order for a malicious attacker to alter a pump's infusion parameters, many prerequisites are required, including access to the hospital network, intimate knowledge of the product and the ability to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE,” said Kirkpatrick. “The external security research firm was not able to replicate the manipulation of infusion parameters, and there have been no reported exploits of this vulnerability. Because the vulnerability is limited to a single BD infusion system offering that is not sold in the U.S., this disclosure does not apply to the majority of BD infusion systems.”

Updated versions of the firmware released in April 2018 and in February 2019 — before the vulnerabilities were detected — are available, and eliminate the security flaws. Those who choose not to update will have access to a patch within 60 days. BD advises users to block the SMB protocol, segregate their VLAN network, and ensure that only appropriate associates can access the customer network.

CyberMDX suggests that device manufacturers follow proper guidelines to plug up any potential risks for breach.

"Device manufacturers should follow SDL methodology (Security Development Life cycle) which addresses embedding security considerations in every step of the product development process — design, development, QA, aftermarket," Elad Luz, head of research at CyberMDX, told HCB News. "When this methodology is followed, questions concerning authorization would be addressed early in the development stage."

Health IT Homepage

You Must Be Logged In To Post A Comment