Posted on August 25, 2021 at 2:08 PM
Various medical devices have been found with vulnerabilities that expose them to hackers. Some of the devices prone to this risk include pacemakers, insulin pumps, ultrasounds, mammography machines and monitors. The most threatening of these vulnerabilities is the one on the infusion pump that can issue double doses of medicine to victims.
These infusion pumps give an automatic medicinal dose and nutrients to patients through a bag of intravenous fluids. The device is programmed to administer small doses without errors. Hence, if there is a chance of error, the effects could be vital.
Infusion Pumps Linked to Injuries and Deaths
The Food and Drugs Administration (FDA) has issued prior reports on injuries and deaths related to infusion pumps. Between 2005 and 2009, the FDA received around 50,000 reports of adverse events linked to faulty infusion pumps. As a result, the FDA imposed an infusion pump safety in 2010.
The safety provided by the FDA requires devices such as the B. Braun Infusomat Space Large Volume Pump to be locked at a software level. This eliminates any chance of sending direct commands to the devices. However, research from McAfee shows there are loopholes to this limitation.
According to Steve Povolny, a head researcher at McAfee, “As an attacker, you should not be able to move back and forth from the SpaceStation to the actual pump operating system, so breaking that security boundary and getting access to be able to interact between those two—it’s a real problem. We showed that we could double the rate of flow.”
The research also stated that an attacker who could access the network of a healthcare facility could exploit a connectivity vulnerability that allowed them to control the SpaceStation. However, the researchers consented that the attack was not easy to carry out but required solid access to the medical facility’s network.
However, if a hacker successfully exploits these vulnerabilities, it permitted an attacker to find a loophole in the security of the devices. The hacker could then add to their privileges, access sensitive information, upload files and perform remote code execution. McAfee also added that the hacker could alter the configuration of the infusion pumps and alter the doses.
Update to the Latest Version
McAfee also stated that there was a way to boost the security of the devices. This could be achieved by installing the latest version of the software. The firm also urges those who purchased these devices to install extra security measures like setting up multifactor authentications and segmentation.
On the other hand, B. Braun stated that the vulnerabilities did not apply to all devices but only to a limited number of older software. B. Braun also stated that it had not verified any instance where the devices were exploited. “We strongly disagree with McAfee’s characterisation in its post that this is a ‘realistic scenario’ in which patient safety is at risk,” the company added.
McAfee researchers also added that the bugs found on the infusion pumps were not yet patched. The firm also added that they had only removed the vulnerable networking feature in the new set of SpaceStations.
McAfee added that it had discovered the bugs towards the end of 2020. The FDA has stated that it is still to be informed on the vulnerabilities. However, the agency stated that it would contact the researchers and analyse the information related to the vulnerability. The FDA also stated that it would coordinate with the device manufacturers to assess and determine the threat to patient safety.
McAfee’s research admitted that exploiting the vulnerability would be a difficult and time-consuming process for the hacker. Getting information about the devices was not easy; hence, a hacker needed to be highly skilled and have adequate resources that will allow him to reverse engineer and coordinate the attack. Because of these limited details, the McAfee researchers were cautious about the details to reveal in the findings.
There is also a chance that an attacker can use minimal effort to do the damage. They would only need to access the first vulnerability on the chain to conduct other attacks such as ransomware. Hospitals have been victims of ransomware attacks of late; hence failure to fix this vulnerability could have devastating effects.
“Ransomware may be more likely right now, but we cannot ignore the fact that this exists. All it takes is literally one time—one political figure, one assassination attempt, and we’ll be thinking that we could have done the work to prevent this,” Povolny stated. Safety and privacy concerns related to patient’s health has become an urgent need.