75% of medical infusion pumps contain vulnerabilities


A team of specialists from Unit 42 of Palo Alto Networks conducted a study on how well hospitals and other healthcare providers are coping with ensuring the safety of “smart” infusion pumps delivering medicines and fluids to patients.

Experts analyzed crowdsourced scanning data of more than 200 thousand infusion pumps in the networks of hospitals and other healthcare organizations. As it turned out, 75% of the scanned infusion pumps contained vulnerabilities, which exposed them to an increased risk of hacking by intruders.

In addition, 52% of the tested infusion pumps contained two vulnerabilities discovered in 2019 — one critical and one dangerous.

There are industrial and government initiatives aimed at standardizing information about devices and establishing basic safety criteria for the production of such devices. Nevertheless, the average service life of an infusion pump is between eight and ten years, which means that the widespread use of outdated equipment hinders efforts to improve safety. Other factors also continue to undermine overall cybersecurity, including insufficient use of network segmentation, failure to implement best practices to ensure the security of operational processes, and insufficient training of health professionals on security issues.

Infusion pumps can number in the thousands in large hospitals or clinics, and their recall, whether due to a mechanical malfunction or a vulnerability in a cybersecurity system, can be a source of concern for supply chain managers, clinical engineers and IT specialists.

Devices at risk must be identified, located and removed or repaired in accordance with the instructions of this recall. An oversight or omission in any of these areas — whether repair, maintenance, installation of patches or software updates – can endanger patients’ lives or confidential information.

Experts identified the 10 most common vulnerabilities in infusion pumps based on the results of scanning data analysis: CVE-2019-12255, CVE-2019-12264, CVE-2016-9355, CVE-2016-8375, CVE-2020-25165, CVE-2020-12040, CVE-2020-12047, CVE-2020-12045, CVE-2020-12043 and CVE-2020-12041.

A large number of vulnerabilities in infusion pump systems and medical IoT devices are associated with the leakage of confidential information. For example, the vulnerability CVE-2020-12040 can be used by an attacker remotely using a MitM attack to gain access to all information about the connection between the infusion pump and the server. On the other hand, CVE-2016-9355 and CVE-2016-8375 can be used by anyone with physical access to the infusion pump to gain access to confidential information.

Many IoMT (and IoT) devices and their operating systems use third-party cross-platform libraries, such as network stacks, which may have vulnerabilities affecting the device in question. For example, for CVE-2019-12255 and CVE 2019-12264, the vulnerable TCP/IP IPNet stack is a component of the ENEA OS of Alaris infusion pumps, which makes the devices vulnerable.

Start a discussion …
Source link