Security Vulnerabilities Allow Attackers to Remotely Take Over Infusion Pump
IV Pump News June 27, 2019
U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and healthcare security firm CyberMDX have uncovered cybersecurity vulnerabilities in the firmware and web management of BD Alaris Gateway Workstations.
The two vulnerabilities were tested independently, validated, and scored using the Common Vulnerability Scoring System, the industry standard for risk assessment. BD, the U.S. Department of Homeland Security and CyberMDX worked together to assess the risks and express the risk in terms of baseline scores. This firmware vulnerability gives malicious attackers the ability to completely disable the device, install malware, report false information, and remotely take the onboard computer offline. In extreme cases, the attacker can communicate directly with the infusion pumps and alter drug doses and infusion rates. Due to the ease of attack, ability to access remotely, and the high impact of an attack, the firmware vulnerability scored a 10.0 (Critical), the maximum score.
The second vulnerability of the AGW resulted in a risk score of 7.3 (High) on the vulnerability scoring system, and could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.
Elad Luz, Head of Research at CyberMDX said, "Identifying, quantifying, and prioritizing medical device security vulnerabilities requires constant vigilance. Our goal is to discover and help remedy critical vulnerabilities before they are exploited to adversely affect patient care".
The BD Alaris Gateway Workstations and infusion pumps are widely used in hospitals and medical facilities. The workstations are hooked up to a central monitoring station where medical staff can monitor the dispensing of intravenous fluids and medications. The workstations are used to provide mounting, power, and communication support to the infusion pumps. The pumps run on Windows CE which was commonly used in pocket PCs before smartphones and, according to Microsoft, will reach its end of life by 2020.
BD spokesperson, Troy Kirkpatrick, recommends that device owners should update to the latest firmware which contains fixes for the vulnerabilities. BD states that these vulnerabilities do not affect any products sold in the United States.
AIV, Inc. is committed to providing high quality IV pumps, replacement parts, accessories and repair service for major infusion equipment manufacturers. Learn more about AIV’s wide selection of IV pump solutions at https://aiv-inc.com/iv-pump-parts-service.html