Following the news that researchers have found eight vulnerabilities in Medfusion 4000 wireless syringe infusion pumps. IT security experts commented below.
Dr. Malcolm Murphy, Technology Director for Western Europe at Infoblox:
“As the use of connected devices in medicine becomes more common place, this news highlights the pressing need for manufacturers to start considering the security of each device as an absolute priority.
However, a further difficulty arises because of the lifecycle of a medical devices. Often, the device life is not going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches – that is when patches can be pushed out.
In order to combat the potential dangers, IT managers must ensure that they can monitor the network activity of connected medical devices so that they can spot unusual and potentially malicious activity. Without it, not only can these devices be hijacked by hackers as an entry point into the network and the wealth of sensitive patient data, but, as seen in this case, also put the physical safety of patients at risk.”
Sergey Lozkhin, Senior Security Researcher, Global Research & Analysis Team at Kaspersky Lab:
“Vulnerabilities in smart medical devices such as syringe pumps can directly affect a victim. In the case of medical devices, such an attack could be highly targeted – so they should be implemented with security in mind. The device should carefully monitor connections, looking for anything out of the ordinary that might indicate a threat.
Kaspersky Lab advises that hospitals, their IT departments and medical equipment suppliers should make sure passwords are frequently changed and all the software used is always up to date, as well as excluding all information systems that process medical data from external access, and isolating medical equipment in a separate segment with connection to a workstation.”
Paul German, CEO at Certes Networks:
“The response of a manufacturer of wireless syringe pumps that have been shown to have a security vulnerability raises serious concern about attitudes to safety.
“Rather than being able to fix the vulnerability quickly and efficiently, the company has said a patch will become available early 2018, leaving patients exposed for almost four months, and that’s assuming the patch can be applied immediately. The explanation behind this is that, exploiting the flaw is so complicated, there is minimal risk that hackers will take advantage.
“Hackers continue to run rings around organisations, and the recent attack on the NHS shows that there is no moral code that puts health services off limits. This vulnerability highlights that those in charge of the cyber security of health providers must go above and beyond when it comes to cyber security.
“The evidence shows that current security measures aren’t working and so Chief Information Security Officers (CISOs) must look beyond regulatory requirements alone to innovative solutions that offer more robust protection. The risk is no longer just about financial impact or brand damage, the risk now includes injuries to persons or danger to life, meaning the security stakes have now risen to a level where time and cost are no longer factors that can be used as excuses.
Identified gaps needs to be closed quickly when found, however even better would be to secure critical services in a way that does not rely on application or infrastructure vendors. Instead CISOs need to look to specialised security vendors that are able to offer defences that are not impacted by the security flaws of devices and infrastructure they aim to protect. Only by adopting a decoupled solution and taking the attitude that nothing can be inherently trusted, CISOs are able to offer reassurances that they are taking security and patient safety seriously.”