DHS Issues Warning About Cybersecurity Vulnerabilities in Wireless Infusion Pumps | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

DHS Issues Warning About Cybersecurity Vulnerabilities in Wireless Infusion Pumps

September 12, 2017
by Heather Landi
| Reprints

The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) last week issued an advisory outlining eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump.

The vulnerabilities, identified by independent researcher Scott Gayou, could be exploited remotely, according to DHS ICS-CERT. “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” the agency wrote. “Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”

Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.

According to the advisory, Smiths Medical recommends users apply the following defensive measures:

  • Assign static IP addresses to the Medfusion 4000 Wireless Syringe Infusion Pump.
  • Monitor network activity for rogue DNS and DHCP servers.
  • Ensure network segments which the Medfusion 4000 medical infusion pumps are installed are segmented from other hospital and clinical information technology infrastructure.
  • Consider network micro segmentation.
  • Consider use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
  • Apply proper password hygiene standards across systems (i.e., use uppercase, lowercase, special characters, and a minimum character length of eight).
  • Do not re-use passwords.
  • Routinely take backups and perform routine evaluations.

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Survey: Health IT is Underfunded at European Healthcare Organizations

Health IT is not sufficiently funded and supported at most European healthcare provider organizations, according to an eHealth survey from HIMSS Analytics.

Only 27 Percent of Healthcare Security Execs Confident about Safeguarding Patient Data

Just 27 percent of healthcare security executives have confidence they can safeguard patients’ medical records, even though nearly 80 percent are required to comply with government regulations, according to a recent survey from cybersecurity solutions provider Radware.

FDA Approves First Telehealth-Enabled Cochlear Impact

The U.S. Food and Drug Administration (FDA) approved the first telehealth option to program cochlear implants remotely.

$1 Billion Class Action Lawsuit Filed Against eClinicalWorks

A $1 billion class action lawsuit filed Thursday in the U.S. District Court in the Southern District of New York alleges that electronic health records vendor eClinicalWorks failed “millions of patients by failing to maintain the integrity of patients’ records.”

HHS Secretary Names Three Members to HIT Advisory Committee

The U.S. Department of Health and Human Services (HHS) Acting Secretary Eric D. Hargan named three members to the Health Information Technology Advisory Committee (HITAC), established by the 21st Century Cures Act.

Survey Gauges Health System Preparedness for Quality Payment Program

A new survey indicates that most healthcare organizations are relying on EHRs and population health management solutions for quality performance management. However, survey respondents also report low satisfaction with these solutions, which puts organizations at risk of falling short of their goals for maximizing payment incentives.