HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps.

The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses.

The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient.

McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and notified the Health Information Sharing & Analysis Center (H-ISAC) about the flaws and recommended mitigations. The flaws affect infusion pumps running older versions of B.Braun software; however, the researchers explained that “vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation.”

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Safeguards have been incorporated into the infusion pumps to prevent attackers from changing doses while the pumps are operational, so it would not be possible for an attacker to change doses as they are being administered. The vulnerabilities can however be exploited while the pumps are idle or on standby, so changes could be made to the function of the devices between infusions.

There have been no reported cases of the vulnerabilities in these or other drug infusion pumps being exploited in the wild, but this is a credible attack scenario and one that could easily be exploited to cause harm to patients. The latest version of B.Braun software blocks the initial network vector of the attack chain, but the flaws have not been totally addressed. An attacker could find another way to gain access to the network to which the devices connect and exploit the flaws. Given the number of ransomware attacks that have been reported in recent months, gaining access to healthcare networks is not proving to be a major challenge for many threat actors.

“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation,” suggested the researchers.

The researchers believe that many other medical devices could have vulnerabilities that could be exploited to cause harm to patients. Medical devices are designed primary to ensure patient safety, and safeguards are implemented to ensure patient safety is not put at risk; however, it is common for cybersecurity protections to be given less consideration during the design stage. Further, when security flaws are discovered in medical devices, patching is costly. The devices are tightly controlled, so it is not just a case of releasing a patch or automatically updating the devices as would occur with an Internet browser for instance. Patches need to be thoroughly tested, the devices must be taken out of action while updates are applied, and the patches and updates need to be thoroughly tested. It is for this reason that many devices still use legacy versions of software and firmware.

“For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits,” explained the researchers. “Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.