The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) has identified eight cybersecurity vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Infusion Pumps. These pumps are used worldwide for accurate medication delivery in critical care departments and operating rooms. Vulnerable versions include v1.1, v1.5, and v1.6.
"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump," ICS-CERT says.
The vulnerabilities range in severity from low to critical on the Common Vulnerability Scoring System, and allow a remote hacker to exploit the intended operation of the device. Six of vulnerabilities involve the use of hard coded-credentials, authentication gaps, and certificate validation issues allowing the hacker to gain access to the device. The others include buffer overflow which allows remote code execution and crashing of the communications module which would not impact the device’s therapeutic functionality. Currently there are no known public exploits specifically targeting the flaws, and only highly skilled hackers are able to exploit them.
Smiths Medical says it is unlikely that these vulnerabilities will be exploited in a clinical setting, but they have been working with ICS-CERT and the Food and Drug Administration to mitigate the cybersecurity issues.
For facilities using the Medfusion 4000 Wireless Infusion pumps it is recommended that a risk assessment be done to determine whether the facility should disconnect the pump from the network until the updated version that address these issues is available. Disconnecting from the network would require hospital staff to manually update the drug libraries. For devices that will remain networked, ICS-CERT recommends closing off several ports to ensure the FTP is disabled, to monitor and log network traffic, and isolate the devices from the Internet and any untrusted systems.
AIV, Inc. is committed to providing high quality IV pumps, replacement parts, accessories and repair service for major infusion equipment manufacturers. Learn more about AIV’s wide selection of IV pump solutions at http://aiv-inc.com/iv-pump-parts-service.html.