Why Infusion Pumps Are So Easy to Hack

Smiths Medical is scrambling to address cybersecurity risks involving its wireless infusion pump, a type of device that is particularly vulnerable to attack.

Pixabay/CRISTIANRODRI17

Cybersecurity is causing headaches across the industry as recent FDA guidance ensures that turning a blind eye to vulnerabilities will no longer be tolerated. And while awareness alone is not enough, as MDDI reported in late August, it is a step in the right direction.

The latest example of just how widespread cybersecurity issues are in medtech involves a line of infusion pumps from Plymouth, MN-based Smiths Medical. According to the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump (versions 1.1, 1.5, and 1.6). ICS-CERT noted that Smiths Medical is planning to release a new product version to address these vulnerabilities in January 2018, but in the meantime, patients who use the device should follow certain safeguards, the agency said.

Wireless infusion pumps seem to be particularly vulnerable to cybersecurity risks because they use connectivity capabilities to connect the pump to point-of-care medication systems and electronic health records. Earlier this year the National Cybersecurity Center of Excellence (NCCoE) released a draft version of practice guides specific to wireless infusion pumps.

According to the NCCoE, wireless infusion pumps can be infected by malware, which can cause them to malfunction or operate differently than intended. And traditional malware protection could negatively impact the pump’s ability to operate efficiently, the agency noted. Most of these pumps contain a maintenance default passcode, the NCCoE said, and if organizations do not change the default passcode when provisioning pumps, or if they do not periodically change the passwords after pumps are deployed, the device will be more vulnerable to attack.

The NCCoE also said that information stored inside infusion pumps such as data from drug library systems, infusion rates, dosages, and protected health information have to be properly secured. Like other devices with operating systems and software that connect to a network, the wireless infusion pump ecosystem creates a large attack surface, the agency said, meaning there are several different points where a hacker could get into a system and steal data.

If a hacker were to exploit the identified vulnerabilities of Smiths Medical’s pumps, ICS-CERT said that both the communications module and the therapeutic module of the pump could be compromised.

The company further explained the situation in a letter to customers. “The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions,” Brett Landrum, Smiths Medical's chief technology officer and vice president of R&D, wrote.

Landrum said the company has been working with the FDA Center for Devices and Radiological Health and ICS-CERT to resolve this issue. In partnership with ICS-CERT, Smiths Medical has released the technical details of the exploit and actions that Medfusion customers to safeguard against potential cyber threats. Customers with questions about the identified risks may contact the company at cybersecurityinquiries@smiths-medical.com or 866-831-8399.

In a recent poll, 35.6% of the more than 500 voters said a cybersecurity incident had impacted their organization their organization in the past year. The votes came from professionals at medical device and component companies and healthcare IT organizations, as well as medical device users and regulators.

500 characters remaining
However hackable some infusion pumps might be, or were, there are no reported instances of actual clinical hacks as opposed to self promoting lab exercises. Perhaps more attention needs to be paid to the actual hazards of infusion pumps.