The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) last week issued an advisory outlining eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump.
The vulnerabilities, identified by independent researcher Scott Gayou, could be exploited remotely, according to DHS ICS-CERT. “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” the agency wrote. “Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”
Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.
According to the advisory, Smiths Medical recommends users apply the following defensive measures:
- Assign static IP addresses to the Medfusion 4000 Wireless Syringe Infusion Pump.
- Monitor network activity for rogue DNS and DHCP servers.
- Ensure network segments which the Medfusion 4000 medical infusion pumps are installed are segmented from other hospital and clinical information technology infrastructure.
- Consider network micro segmentation.
- Consider use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
- Apply proper password hygiene standards across systems (i.e., use uppercase, lowercase, special characters, and a minimum character length of eight).
- Do not re-use passwords.
- Routinely take backups and perform routine evaluations.