Medfusion 4000 Wireless Infusion Pump – A Cybersecurity Risk

September 14, 2017

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) has identified eight cybersecurity vulnerabilities in Smiths Medical’s Medfusion 4000 wireless infusion pumps. These pumps are used worldwide for accurate medication delivery in critical care departments and operating rooms. Vulnerable versions include v1.1, v1.5, and v1.6.

Medfusion 4000 Wireless Infusion Pump – A Cybersecurity Risk

"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump," ICS-CERT says.

The vulnerabilities range in severity from low to critical on the Common Vulnerability Scoring System, and allow a remote hacker to exploit the intended operation of the device. Six of vulnerabilities involve the use of hard coded-credentials, authentication gaps, and certificate validation issues allowing the hacker to gain access to the device. The others include buffer overflow which allows remote code execution and crashing of the communications module which would not impact the device’s therapeutic functionality. Currently there are no known public exploits specifically targeting the flaws, and only highly skilled hackers are able to exploit them.

Smiths Medical says it is unlikely that these vulnerabilities will be exploited in a clinical setting, but they have been working with ICS-CERT and the Food and Drug Administration to mitigate the cybersecurity issues.

For facilities using the Medfusion 4000 wireless infusion pumps it is recommended that a risk assessment be done to determine whether the facility should disconnect the pump from the network until the updated version that address these issues is available. Disconnecting from the network would require hospital staff to manually update the drug libraries. For devices that will remain networked, ICS-CERT recommends closing off several ports to ensure the FTP is disabled, to monitor and log network traffic, and isolate the devices from the Internet and any untrusted systems.

AIV, Inc. is committed to providing high quality IV pumps, replacement parts, accessories and repair service for major infusion equipment manufacturers. Learn more about AIV’s wide selection of IV pump solutions at

About the Author

Laura Collier

Laura Collier

Laura Collier has a Bachelor’s Degree in Communications and a Master’s Degree in Business Administration from the University of North Florida. She is the Marketing Manager at AIV, Inc.

AIV Catalog

Request Your Printed or Electronic Copy Today!
We Respect Your Privacy

Be Part of Our
Biomed Community

Healthcare technology management professionals are a vital link in hospital operations, and we proudly support the national, state, and local associations with ongoing support and resources.

Get Biomed Resources

Why buy from AIV

AIV strives to provide you cost effective options to service equipment. We offer flexible solutions to best suit your needs.