As of 2020, about 80% of hospitals in the United States were using smart infusion pumps.

Palo Alto Networks Unit 42 researchers analyzed data crowdsourced from over 200,000 network-linked infusion pumps used in healthcare facilities/hospitals and identified severe security concerns. 

Unit 42 researchers discovered grave medical device security issues in the infusion pumps they analyzed as 75% of the samples contained security vulnerabilities that exposed the device to potential exploitation. This could have drastic implications for the healthcare sector regarding patients’ security.

The purpose of this research was to assess the reliability and security of smart infusion pumps used by a majority of healthcare organizations globally. These pumps are connected to the internet and automatically dispense fluids and medications to patients.

It is worth noting that as of 2020, about 80% of hospitals in the United States were using smart infusion pumps.

Which Vulnerabilities Were Discovered?

Palo alto Networks’ research team stated that scans from 7 medical device manufacturers were obtained for their analysis. Over 52% of all scanned infusion pumps were vulnerable to two known vulnerabilities discovered in 2019.

These flaws are tracked as CVE-2019-12255 (buffer overflow flaw in Wind River VxWorks’ TCP component) and CVE-2019-12264 (incorrect access control issue in Wind River VxWorks DHCP client component).

Researchers noticed that infected pumps contained one or more of forty known security vulnerabilities and at least seventy other IoT device vulnerabilities. Over half of the infusion pumps they examined were vulnerable to the two high severity vulnerabilities mentioned above.

Most vulnerabilities found in network-connected infusion pumps were categorized as sensitive information leakage, third-party TCP/IP stack vulnerabilities, and unauthorized access and overflow.

If exploited successfully, these vulnerabilities can allow leakage of sensitive patient data, and an attacker can gain unauthorized access to the device.

More Medical Devices Security Flaws:

Why Infusion Pumps Have Vulnerabilities?

According to their report, researchers noted that despite the availability of information about medical device security measures, healthcare facilities have failed to ensure the security of smart infusion pumps. 

There are also initiatives led by industry and government aimed at standardizing device information and establishing baseline security criteria for manufacturing these devices.“Yet the average infusion pump has a life of eight to 10 years, which means the widespread use of legacy equipment has hampered efforts to improve security.

Palo Alto Networks Unit 42

Furthermore, insufficient network segmentation and disregard for basic security best practices are responsible for flaws in infusion pumps and other medical devices.

It is worth noting that the FDA (Food and Drug Administration) recalled infusion pumps seven times during 2021 and nine times in 2020. 

This indicates that there’s a dire need to improve the security of these devices. The Healthcare Supply Chain Association (HSCA) has released guidelines for medical device manufacturers in this regard.