The last place you should have to worry about being hacked is laid out in a hospital bed. But as wireless devices continue to fill patient rooms, those fears can’t help but grow.
Last week, the US Department of Homeland Security (DHS) issued an advisory warning about a vulnerability unearthed in one such wireless device. Security researcher Scott Gayou identified eight vulnerabilities in a syringe infusion pump — a machine used to administer to patients precision doses of medication intravenously.
The device in which Gayou discovered the security flaw is called the Medfusion 4000 infusion pump and it’s manufactured by Smiths Medical, a division of the British multinational Smiths Group. The pump is indicated for use in administering drugs, blood and lipid products, antibiotics, and other therapeutic fluids. In addition to critical care patients, the pump is used to administer anaesthesia, and may be used on paediatric and neonatal patients, that is, newborn babies.
Homeland Security — or more specifically, its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) — warns in its advisory: “Successful exploitation of these vulnerabilities” identified by Gayou in the Medfusion 4000 “may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump”. The agency adds: “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”
The use of machines for measuring and administering intravenous drugs is nothing new, and such devices are widely credited with reducing major dosing errors. Paediatric dosing, for instance, requires very precise measurements to prevent adverse reactions, and dosing errors in the case of a neonatal patient can be especially fatal. An infusion pump, such as the Medfusion 4000, can replace manual calculations typically done by pharmacy technicians, whose maths may be verified by a skilled pharmacist, but are often left unsupervised while actually drawing up syringes and IV bags before they arrive at a patient’s bedside.
On Thursday, Smiths Medical notified its customers in a letter acknowledging the flaw, though it downplayed the risk to patients, asserting: “The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.”
Smiths Medical also wrote that it plans to correct the vulnerabilities in a software update to be released five months from now. In the meantime, however, the company has offered a detailed list of protocols it says should prevent any potential attacks. The list includes further segregating the devices from other parts of hospitals’ networks, assigning the devices static IP addresses, and — no kidding — using passwords containing “uppercase, lowercase, special characters, and a minimum character length of eight”.
Attackers exploiting vulnerabilities in medical technology may be the stuff of poorly written Hollywood assassination plots, but that doesn’t make it any less scary for the people who rely on such devices to live. Last month, for instance, nearly a half million patients with cardiac pacemakers were instructed to report to their doctors for a firmware update after the manufacturer disclosed a life-threatening flaw that would allow a malicious attacker to “gain access and issues commands to the implanted medical device”.
Connecting infusion pumps wirelessly to a hospital network, even to a local server that isn’t connected to the internet, poses certain inherent risks. While the benefit to patients may greatly outweighs those risks, there is no technology — save perhaps that which is used for military applications — which demands greater scrutiny and vigilance on the part of security professionals.