Over 100,000 Medical Infusion Pumps Vulnerable To Years Old Critical Bug

In response to reports that data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are are running with known security issues that hackers could exploit, cybersecurity experts commented below.

Subscribe
Notify of
guest

6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
InfoSec Expert
March 4, 2022 11:15 am

Many connected medical devices simply aren’t designed to be updated once deployed, which makes patching vulnerabilities on deployed devices nearly impossible. The life cycle of a connected embedded device needs to allow for security updates. It’s simply not possible to create an embedded platform that will never have vulnerabilities.

With connected medical devices, the market dynamics simply won’t move fast enough to drive the right behavior. Regulation needs to step in to move vendors and providers alike to ensure that the connected devices used for delivering care meet a minimum standard for security. Devices that can’t be updated need to be replaced, and those replacements need to meet an agreed upon, evidence-based set of security requirements.

Last edited 6 months ago by Tim Erlin
John Stock
John Stock , Product Manager
InfoSec Expert
March 4, 2022 11:14 am

The pumps have been around for some time, same problem seen as with all connected devices, lack of basic cyber hygiene.  Patching and updates are not performed because it takes time and effort to get them done, people skip updates until a ‘better time’ essentially taking the choice to leave themselves at risk without the end user even realising it.

Forced auto-updates, especially for healthcare products aren’t always an option, as no-one knows when is the ‘best time’ to perform updates, and other solutions such as swapping them for newer units can be expensive and not viable. More and more IoT devices are now being designed with security in mind, and specific requirements and guidelines have been set by the NCSC (https://www.ncsc.gov.uk/blog-post/connecting-smart-devices-with-confidence) although that only sets out guidance for the UK and no international requirement.

Companies making these devices should always be assuming the worst, and designing for the worst case scenario. Does a medical device need to be always ‘online’, does it need to be running services, how can the attack surface be made as small as possible, and what can be done to mitigate a vulnerability should one be found to stop mass exploitation?

Last edited 6 months ago by John Stock
Jamie Akhtar
Jamie Akhtar , CEO and Co-founder
InfoSec Expert
March 4, 2022 11:01 am

This is an extreme example of the perils of failing to regularly update software. It appears that this situation could have been easily avoided with consistent patching, highlighting the importance of regular updates.

And although it is a particularly extreme example, it serves as a timely reminder to businesses everywhere to always check for updates to software and operating systems and download them without delay. After all, it’s by far the simplest thing you can do to improve your business’s cybersecurity posture.

Last edited 6 months ago by Jamie Akhtar
Greg Day
Greg Day , VP & CSO, EMEA
InfoSec Expert
March 4, 2022 10:59 am

Palo Alto\’s research validates why many have been keen to support the World Economic Forum\’s requirements for Standards in this and the broader IoT space. Many challenges with IoT device security exists considering that medical devices must last many years, especially when embedded into a person’s body. Typically, devices have a singular task often dealing with complex medical needs in what is still a very nascent space.Closing the security gaps in IoT devices will take time but a starting point is developing clear device standards for medical technology experts to follow are needed.

In addition, concepts such as being able to clearly recognise what a device is, so it can communicate with other systems is critical. Also, having both a robust strategy around code updates that includes vulnerability management are needed and following best practices on identity authentication processes to ensure trusted connections are needed. All of these have to become a native part of the innovative medical technical innovation space which to date hasn’t been an initiative focus.There must also be in the broader space realisation that as more and more things get digitised and interconnected we run the risk of connecting low value things with high, and value can’t just be measured in cost, it must be measured in impact.  Medical IoT is a great example because today technology truly can mean the difference between life and death. We have already seen ransomware have a huge impact against the medical space, blocking processes and procedures due to lack of data.

Last edited 6 months ago by Greg Day
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
March 4, 2022 10:55 am

Unfortunately, medical devices are often insecure, despite frequent warnings from cybersecurity professionals. In some cases, the medical facilities underestimate how easily these vulnerabilities can be exploited by bad actors, in others, they simply don’t feel that a bad actor would target medical equipment, and in even other cases, the device manufacturers have not provided patches to deal with these vulnerabilities. There is also the issue of tracking down the devices to patch them.

For devices such as infusion pumps, a device almost as common as a stethoscope in some facilities, they are often moved from room to room, or even around different parts of the medical facility itself, making them very hard to physically locate, especially when not in use with a patient. There can also be concerns of the patch itself causing trouble with the equipment, making it inoperable. All of these issues add up to a challenging situation that leaves vulnerable equipment floating around facilities all around the globe.  

Medical organizations must take the threat against medical equipment, even the trusty infusion pump, seriously. Even if an attacker did not want to harm an individual by changing settings on the pump, it is entirely possible that in a very short time, the equipment could be hit with ransomware, extorting the facility into paying a ransom in order to get their equipment back online and useable. A medical facility with an inoperable fleet of infusion pumps could find themselves in a situation where people must be turned away from the care they need.

To deal with the issue, organizations using devices such as these should develop a process to check for updates to the firmware on devices deployed within the organization and have a procedure in place for physically gathering the equipment together to apply the required patches and get the equipment back in operation quickly.

Last edited 6 months ago by Erich Kron
Information Security Buzz
6
0
Would love your thoughts, please comment.x
()
x