When they’re wireless, even seemingly simple medical devices like syringes can be taken over and maliciously controlled by hackers.
The Department of Homeland Security has discovered a vulnerability in an automatic syringe infusion pump used to administer medications and anesthesia in hospitals.
In an advisory, the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned the security flaw in the device – called the Medfusion 4000 – could allow remote hackers to take over and control it.
Security researcher Scott Gayou identified eight vulnerabilities in the Medfusion 4000 (pictured), which is manufactured by Smiths Medical. The company plans to fix the security flaw and release a new version in 2018, but until then, hospitals should be aware
‘Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump,’ the warning reads.
‘Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.’
Security researcher Scott Gayou identified eight vulnerabilities in the syringe, which is manufactured by Smiths Medical.
The company plans to fix the security flaw and release a new version in 2018, but until then, hospitals should be aware.
‘An attacker with high skill would be able to exploit these vulnerabilities,’ the report reads.
The Medfusion 4000 is used commonly on critical care, pediatric, and neonatal patients.
In newborns, medication dosing needs to be especially precise and can be fatal in the case of slight errors.
The device is a replacement for manual dosing and is supposed to be a safer way to ensure the correct dose is administered.
Six of the vulnerabilities discovered involve issues with authentication, hard-coded credentials, and certificate validation issues, all of which would allow access to the device.
The two other vulnerabilities involve third-party components, and one of those would allow ‘remote code execution’ of the device.
The Department of Homeland Security has discovered a vulnerability in a syringe infusion pump used to administer medications in hospitals. The agency warned the security flaw in the device – called the Medfusion 4000 – could allow remote hackers to take over and control it
While the report says this particular flaw would be difficult to exploit, the risk is high since it would allow a hacker to control the release of medication.
According to Gayou, three separate versions of the Medfusion 4000 device can be corrupted: 1.1, 1.5, and 1.6.
Smithes Medical – a British company – released a letter addressing the report and downplaying the vulnerabilities.
‘The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions,’ the company’s chief technology officer, Brett Landrum, wrote in the letter, addressed, ‘ Dear Valued Customer.’
‘I sincerely apologize for this inconvenience,’ he added.
While the report says this particular flaw would be difficult to exploit, the risk is high since it would allow a hacker to control the release of medication. ‘An attacker with high skill would be able to exploit these vulnerabilities,’ the report reads. Stock image
Hacking is just one of the risks affecting today’s smarter medical technology.
Last month, it was found that more than 465,000 patients with St Jude pacemakers are at risk of potentially fatal hacks – and need to undergo a risky ‘software update.’
The matchbox-sized devices are implanted in a person’s chest to fix abnormal heart rhythms.
Running its own software, it keeps the heart running normally and can also transmit information about a patient’s condition to their doctor via the internet, sounding the alarm when something’s amiss.
St Jude manufacturer Abbott Laboratories sent warning letters to thousands of clients telling them that their high-tech devices have nothing to defend them against hackers.
They also warned patients that the devices’ batteries may run down earlier than expected.
Writing in an advisory to doctors, Abbott said patients need an urgent – and life-threatening – software update to protect them from ‘nearby attackers’ that could make the device ‘stop pacing’.
The Medfusion 4000 is used commonly used on critical care, pediatric, and neonatal patients. The device is a replacement for manual dosing and is supposed to be a safer way to ensure the correct dose is administered
To perform the update, doctors need to put the device in back-up mode. Abbott warned some patients may need to be in a clinic with temporary generators available in case there is a malfunction.
It marks the second round of updates for the heart implants that Abbott has announced since buying medical device maker St Jude Medical earlier this year.
The U.S. government launched a probe last year of claims the devices were vulnerable to potentially life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries.
The company also identified a separate problem with lithium batteries in its heart devices last year.
St. Jude recalled some of its 400,000 implanted heart devices last October due to risk of premature battery depletion, which was linked to two deaths in Europe.
The U.S. Food and Drug Administration said then that hospitals should return unused devices and warned patients with an already implanted device to seek immediate medical attention if they get a low-battery alert.
The new update will be designed to reduce the risk of hacking.
Abbott Laboratories, the manufacturer, warned more than 465,000 patients with pacemakers (file image) are at risk of hacks and batteries running out earlier than expected
Writing to doctors on Tuesday, Abbott representatives said: ‘If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality.’
Abbott said it will also provide doctors with an earlier warning when the batteries in the implantable cardioverter defibrillators are at risk of early depletion.
The company said there have been no reports of unauthorized access to any patient’s implanted device and that compromising the security of the devices would require a complex set of circumstances.
An Abbott representative told Daily Mail Online: ‘As we’ve said before, Abbott is resolving all old St. Jude Medical issues.
‘These planned updates further strengthen the security and device management tools for our connected cardiac rhythm management devices.
‘The cybersecurity landscape is always changing, which is why we’re working across the healthcare sector to proactively address issues that affect all connected technologies.’
The FDA said it approved the update to ensure that it addresses the cyber security vulnerabilities, and reduces the risk of patient harm.
The agency and the Department of Homeland Security confirmed in January that St Jude devices were vulnerable to hacking.
But they said they knew of no cyber attacks on patients with the company’s cardiac implants.
The FDA said the benefits of continuing treatment outweighed cyber risks, and DHS said only an attacker ‘with high skill’ could exploit the vulnerability.
They launched the probe in August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings said the devices were riddled with security flaws that made them vulnerable to potentially life-threatening hacks.
When Muddy Waters went public with the claims, it also disclosed it was shorting shares of St Jude Medical, which was preparing to sell itself to Abbott.
The short-selling firm said it believed that disclosure of the vulnerabilities could cause the $25 billion deal to fall apart, but Abbot completed the deal in January.