- Three out of four infusion pumps used to deliver medications and fluids to patients have cybersecurity flaws, putting them at increased risk of being compromised by hackers, according to a new study by Palo Alto Networks' Unit 42 threat research service.
- An analysis of more than 200,000 infusion pumps from seven medical device manufacturers, using crowd-sourced data supplied by healthcare organizations, found more than half of the devices were susceptible to "critical" and "high" severity cybersecurity vulnerabilities. "Security lapses in these devices have the potential to put lives at risk or expose sensitive patient data," states the report, noting that infusion pumps can number in the thousands in a large hospital or clinic.
- The Palo Alto Networks study mirrors results from a January research report by security firm Cynerio, which found that IV infusion pumps make up 38% of a hospital’s typical Internet of Things (IoT) footprint, with 73% of those devices having a vulnerability "that would jeopardize patient safety, data confidentiality, or service availability if it were to be exploited by an adversary."
Infusion pumps are the most common connected medical devices in hospitals and "possess the lion’s share" of cybersecurity risk, concluded Cynerio's January report. The Palo Alto Networks study, released on Wednesday, identified more than 40 different vulnerabilities and over 70 different security alerts among infusion pumps, with one or more affecting 75% of the 200,000 devices analyzed on the networks of mostly U.S. healthcare organizations.
"One of the most striking findings was that 52% of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019 — one with a 'critical' severity score and the other with a 'high' severity score," Palo Alto Networks said in the study.
The study also points out that the average infusion pump has a life of eight to 10 years, resulting in the widespread use of legacy devices that have hampered efforts to improve cybersecurity.
Becton Dickinson's Alaris System vulnerabilities listed in the Palo Alto Networks report were disclosed by the company in 2017, 2019 and 2020. BD made software updates available to fix these vulnerabilities and encouraged customers to update to BD Alaris PCU version 12.1.2, which became available in July 2021, according to the report's researchers.
Still, despite the availability of a patch last year, the Common Vulnerabilities and Exposures (CVEs) in the BD pumps "still had a 50.39% and 39.54% representation in the hospitals," according to Chris Gates, director of product security at medical device engineering firm Velentium.
"While BD has been a responsible manufacturer, the hospitals have not been updating their pumps," which is "magnified by the long service life of these pumps in the hospital," Gates said.
Other cybersecurity experts such as Harbor Labs' Director of Medical Security Mike Rushanan, who has worked with a wide variety of infusion systems, are not impressed with the security practices of much of the infusion pump industry.
"Some infusion pump manufacturers do cybersecurity right, and you don't see them on this list. Others, like BD, you'll see over and over," Rushanan said.
At the same time, Gates is critical of Baxter's response to known vulnerabilities in their infusion pumps.
"The Baxter pumps have a raft of high scoring vulnerabilities," Gates said. "These types of vulnerabilities display a complete disregard for cybersecurity by the manufacturer, this isn't some advanced attack by a nation-state or newly discovered vulnerability in a third-party component. No, this is just not meeting their responsibility as a medical device manufacturer."
In an emailed statement, Baxter said that the company "self-identified, investigated and disclosed" vulnerabilities related to its devices that were noted in the study.
"Securing medical devices, including infusion pumps, is not a one-time event. It requires ongoing vigilance throughout the lifecycle and operation of the pump," it said. "Baxter’s product security team is continuously monitoring for potential vulnerabilities in our medical devices."
A spokesperson at BD said the company planned to issue a statement about the matter today. It wasn't made available at the time of publication.
Baxter's recent infusion pump safety notification, which regards improper device use, adds to the cybersecurity concerns with the machines. BD has similarly had recent problems with its pumps, issuing multiple recalls over the last several years due to machine malfunctions.
"Recalls, whether due to mechanical failure or cybersecurity vulnerability, can be a source of anxiety for supply chain managers, clinical engineers and IT security teams," Palo Alto Networks said in the study. "The at-risk devices must be identified, found and retired or repaired per the instruction of a given recall. An oversight or a miss in any of these areas – whether the devices need repair, maintenance, software patches or updates – can put patient lives or sensitive information at risk."
The Palo Alto Networks study called on the healthcare industry to "redouble efforts to protect against known vulnerabilities" in infusion pumps. Still, Velentium's Gates is skeptical that both hospitals and medical device manufacturers are up to the task, despite the continuing risks to patient safety.
"I would love to see these studies repeated in a year to see how many are still unpatched and still in use in the hospitals. Sadly, I would suspect they would find very similar numbers," Gates said.