HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Issues Identified in 75% of Infusion Pumps

This week, researchers at Palo Alto’s Unit 42 team published a report that shows security gaps and vulnerabilities often exist in smart infusion pumps. These bedside devices automate the delivery of medications and fluids to patients and are connected to networks to allow them to be remotely managed by hospitals.

The researchers used crowdsourced scans from more than 200,000 infusion pumps at hospitals and other healthcare organizations and searched for vulnerabilities and security gaps that could potentially be exploited. The devices were assessed against more than 40 known vulnerabilities and over 70 other IoT vulnerabilities.

75% of the 200,000 infusion pumps were discovered to have security gaps that placed them at an increased risk of being compromised by hackers. Worryingly, 52% of the analyzed devices were found to be vulnerable to two serious infusion pump vulnerabilities dating back to 2019, one of which is a critical flaw with a CVSS severity score of 9.8 out of 10 (Wind River VxWorks CVE-2019-12255), and the other is a high severity flaw with a CVSS score of 7.1 (Wind River VxWorks CVE-2019-12264).

Vulnerabilities in infusion pumps could be exploited to cause harm to patients. By gaining access to the devices, attackers could stop the delivery of drugs and fluids or cause the devices to deliver potentially fatal doses of drugs. Vulnerabilities could also be exploited to gain access to, modify, or delete sensitive patient data, and it is the latter type of vulnerability that is most common.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

“While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target,” said the researchers. “Our discovery of security gaps in three out of four infusion pumps that we reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks,”

Large hospitals and clinics can use thousands of infusion pumps. When vulnerabilities are discovered, patching or applying compensating controls quickly can be a major challenge. First, the affected devices must be identified, then they must be patched, fixed, or replaced. If any vulnerable device is missed, it will remain vulnerable to attack and a patient’s life may be put at risk.

It is important to maintain an accurate inventory of infusion pumps (and other IoMT devices) in use and to have the capability to rapidly discover, locate, and assess utilization of the devices. Security teams should perform a holistic risk assessment and proactively find vulnerabilities and identify compliance gaps.

Risk reduction policies should be applied. “Real-time risk monitoring, reporting, and alerting are crucial for organizations to proactively reduce IoMT risk,” suggest the researchers. “Consistent profiling of device activity and behavior yields data that can be accurately converted into risk-based Zero-Trust policy recommendations.” Hospitals and clinics should also take steps to block known targeted IoT malware, spyware, and exploits, prevent the use of DNS for C2 communications, and stop access to bad URLs and malicious websites to prevent the loss of sensitive data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.