The Department of Homeland Security has issued an alert about a cybersecurity vulnerability affecting certain BD Alaris infusion pump products.
DHS, which scored the issue 6.5 out of 10 on a vulnerability scale, said a successful attack that exploited the weakness could force operators to manually program their Alaris pumps, used in hospitals to deliver fluids.
- BD said it has received no reports of the vulnerability being exploited in clinical settings and will address the weakness through actions including an upcoming version of its BD Alaris PC Unit software.
BD’s Alaris infusion pump unit has been the subject of repeated Class I recall notices this year and is operating under an amended consent decree with FDA. The ICS Medical Advisory issued by DHS on Thursday is unrelated to those issues. Rather, the notice relates to a network session vulnerability that affects the authentication process between certain versions of the Alaris PC Unit and Systems Manager.
An attacker with access to the network associated with the affected BD devices could exploit the vulnerability to establish a direct networking session between the Alaris PC Unit and Systems Manager, provided they could redirect authentication requests and complete an authentication handshake, a type of identity check.
Successful exploitation of the vulnerability could enable a denial of service attack that leads to a drop in the wireless function of the PC Unit. Users would then need to manually operate the PC Unit but it would continue to function as programmed.
BD provided a list of potential consequences of successful attacks and steps to mitigate them in its notice about the vulnerability. An attack could prevent the pre-population of the Alaris PC Unit with infusion parameters taken from electronic medical records, or stop the wireless transmission of a new Guardrails dataset to the Alaris PC Unit. Users would need to manually program the pump and upload Guardrails datasets while the wireless capability is down.
It is possible no users will ever face those problems. BD is yet to receive reports of real-world attacks and has already addressed the vulnerability in more than 60% of Systems Manager installations through its normal server upgrades. A patch for the PC Unit software is planned. In the interim, BD is advising users to consider mitigations including use of a firewall and disabling of unnecessary account protocols and services.
Medigate, a healthcare security company, reported the vulnerability to BD, which then voluntarily shared the information with DHS and FDA. The alert follows ICS Medical Advisories about BD Pyxis MedStation and BD Alaris PCU from earlier this year.