For HomeFor BusinessFor Partners
Smart Home
2 min read

Infusion Pumps in EU Healthcare Units Harbor Critical Vulnerability

Ionut ILASCU

September 10, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Infusion Pumps in EU Healthcare Units Harbor Critical Vulnerability

Connected medical devices suffer chronic insecurity, an ailment that apparently remains untreated for today’s threat landscape.  A recent public alert drew attention to a critical vulnerability in some models of Alaris infusion pumps used across the European Union.

Alaris infusion systems are essentially medical syringe pumps, used in various healthcare departments and specialties, such as oncology, pain management and intensive care. They are meant to increase efficiency and improve patient care by working independently or in clusters to better manage the workflow and infusion data in more than one healthcare area.

The products impacted by the vulnerability are Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA running a software version that was released in 2006, and sold by Becton, Dickinson and Company (BD) under the Asena brand. The company disclosed the flaws publicly and said in its report that they found no evidence the vulnerability was exploited.

The vulnerability has a severity score of 9.4 out of 10, according to the security industry standard for rating computer security issues, meaning an attacker could access vulnerable Alaris syringe pumps from a remote location over the internet and interfere with its operation. The attacker does not need solid computer knowledge to succeed.

Only the infusion pumps connected to a terminal server via a serial port suffer this weakness. This setup is not recommended by the vendor, who recommends customers run the products on an isolated network or in a stand-alone configuration.

BD assessed the flaw’s clinical impact and concluded that “the probability of an unauthorized breach in network security that impacts the delivery of a patient’s IV infusion is negligible due to the sequence of events that must occur in a specific order by a highly trained attacker.”

Connected medical devices have a lifespan often much longer than consumer Internet-of-Things products. Hospital equipment often serves for more than 10 years, and can continue to operate beyond the manufacturer’s end of support date.

These products were built in a time that did not foresee connectivity. They incorporated this feature primarily for convenience, sacrificing or disregarding security controls. The mistakes of the past came back to haunt the healthcare industry and prompt urgent measures for defining a standard for better software security.

Image credit: Becton, Dickinson and Company

tags

Smart Home

Author

Right now Top posts

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide
Scam Spam

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide

April 19, 2024

5 min read
Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

How to keep your Android device immune to malicious vaccine themed apps
Archive

How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine
Archive Industry News

Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands
Archive

Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read

Bookmarks

loader