Security warning over hospital syringe pumps

Security expert exposes flaws in medical device that could put patients at risk from cyber hackers

Cyber criminals could hack into life-saving medical equipment, changing dosages and putting patient safety at risk, a new report has revealed.

Security researcher, Scott Gayou, found eight separate flaws in the MedFusion 4000 pump manufactured by Smiths Medical.

And his discovery has led the US Department of Homeland Security (DHS) issuing a warning about the danger this posed. The UK Medicines and Healthcare products Regulation Agency (MHRA) is yet to make a statement on the impact in the UK.

Smiths plans to fix devices by early 2018 and said it was ‘highly unlikely’ any hackers would exploit the flaws.

Hackers continue to run rings around organisations and the recent attack on the NHS shows that there is no moral code that puts health services off limits

The wireless infusion pumps involved in the study are used in hospitals to administer precise doses of drugs, blood, antibiotics and other critical fluids to patients.

They are also used during surgery to ensure patients stay unconscious, and in neonatal wards to treat premature babies.

The vulnerabilities found by Gayou left the devices open to a series of well-known attacks as they did little to check who was connecting to them and a poor job of sanitising any commands they were sent.

The DHS said anyone successfully exploiting the vulnerabilities could ‘gain unauthorised access and impact the intended operation of the pump’.

This, it said, could let attackers hijack the pump's communications and control systems.

The DHS acknowledged that there were no ‘known public exploits’ that explicitly targeted the vulnerabilities, but it said hospitals should look at how they used the pumps to see what risk they posed.

In a statement, Smiths said the risk of the vulnerabilities causing any harm was low because they required a ‘complex and an unlikely series of conditions’ to be met before an attacker could abuse them.

Signed by Brett Landrum, the company’s chief technology officer and vice president of R&D, it stated: “A cyber security exploit affecting Medfusion 4000 devices has been identified and, given our enduring commitment to patient safety and device cyber security, we are contacting you to provide details and our plan to safeguard against issues.

“The possibility of this exploit taking place in a clinical setting is highly unlikely as it requires a complex and an unlikely series of conditions.

“In partnership with ICS-CERT, we have released the technical details of this exploit and actions that you should take to protect against it.

“Further, we are preparing a software security update that will be rolled out by January 2018 to resolve this issue and to protect against the potential of future cyber security exploits.

The evidence shows that current security measures aren’t working and so chief information security officers must look beyond regulatory requirements alone to innovative solutions that offer more-robust protection

“The safety of your patients and security of our devices is of paramount importance and remains our unwavering commitment to you.”

The analysis of the pump software comes soon after flaws were found in more than 745,000 pacemakers that, if exploited, could lead to them being hacked.

Commenting on the problem, Paul German, chief executive of Certes Networks, an encryption specialist on how the health industry should change its attitude to cyber security, told BBH: “The response of a manufacturer of wireless syringe pumps that have been shown to have a security vulnerability raises serious concern about attitudes to safety.

“Rather than being able to fix the vulnerability quickly and efficiently, the company has said a patch will become available early 2018, leaving patients exposed for almost four months, and that’s assuming the patch can be applied immediately.

“The explanation behind this is that, exploiting the flaw is so complicated, there is minimal risk that hackers will take advantage.”

He added: “Hackers continue to run rings around organisations and the recent attack on the NHS shows that there is no moral code that puts health services off limits. This vulnerability highlights that those in charge of the cyber security of health providers must go above and beyond when it comes to cyber security.

“The evidence shows that current security measures aren’t working and so chief information security officers (CISOs) must look beyond regulatory requirements alone to innovative solutions that offer more-robust protection.

The risk is no longer just about financial impact or brand damage, the risk now includes injuries to persons or danger to life, meaning the security stakes have risen to a level where time and cost are no longer factors that can be used as excuses.

“Identified gaps need to be closed quickly when found. However, even better would be to secure critical services in a way that does not rely on application or infrastructure vendors. Instead CISOs need to look to specialised security vendors that are able to offer defences that are not impacted by the security flaws of devices and infrastructure they aim to protect.

“Only by adopting a decoupled solution and taking the attitude that nothing can be inherently trusted, CISOs are able to offer reassurances that they are taking security and patient safety seriously.”

Companies