Infusion pump-linked workstations contain critical security flaw

Bad actors can use the Becton, Dickinson and Company Alaris Gateway Workstations to “authenticate” malicious and potentially dangerous content, CyberMDX discovered.
By Nathan Eddy
12:08 PM
Infusion pump-linked workstations contain critical security flaw

Security vulnerabilities have been found in a series of builds of Becton, Dickinson and Company Alaris Gateway Workstations, which are used to provide mounting, power and communication support to infusion pumps.

WHY IT MATTERS

The security flaws have left those infusion pumps exposed to hackers who could remotely change the dosage of drugs being administered to patients, or even stop them altogether.

The pumps are used in a wide range of therapies, including fluid therapy, blood transfusions, chemotherapy, dialysis and anesthesia.

CyberMDX discovered the previously undocumented vulnerabilities in the workstations, explaining that the Alaris Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions.

Conducting a counterfeit version of this upgrade can allow bad actors a route to “authenticate” malicious content, according to the CyberMDX announcement, which was backed up by the Department of Homeland Security.

In addition, the web management system requires no credentials and does not allow for the incorporation of credentials, which means anyone knowing the IP address of a targeted workstation could monitor pump statuses and access event logs, and potentially change the gateway’s network configuration or even restart the gateway.

“For some infusion pump models used in tandem with Alaris Gateway Workstations, a hacker could use the compromised gateway to prevent the administration of life-saving treatment or to alter intended drug dosages,” the CyberMDX alert noted.

The cybersecurity firm said it worked with Becton, Dickinson and Company and the DHS to assess the extent of the risk posed and to express that risk with Common Vulnerability Scoring System scores of 10.0 (critical) and 7.3 (high), as referenced in the advisory alerts published online.

THE LARGER TREND

Trojans, riskware, spyware and worms all plague healthcare, which leads all industries in number of data breaches, according to BakerHostetler’s 2019 Data Security Incident Response report.

However, the healthcare security space is set for big growth as hospitals recognize new vulnerabilities and vendors innovate their products and pricing models, and could reach $8.7 billion by 2023, an April Frost & Sullivan study concluded.

ON THE RECORD

“Identifying, quantifying and prioritizing medical device security vulnerabilities requires constant vigilance,” Elad Luz, head of research at CyberMDX, said in a statement, noting the onus for medical device security lies across all stakeholders – device manufacturers, healthcare providers and technology companies.

Vulnerabilities are being discovered on all fronts, in fact, from web management flaws all the way to the sounds biomedical research machines make, as University of California researchers found in February.

The report noted the cyber-physical nature of biotechnology workflows has created new security risks, which the research community has mostly neglected.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.

Email the writer: nathaneddy@gmail.com

Twitter: @dropdeaded209