Most smart medical infusion pumps have known security gaps that make them vulnerable to hackers, according to new research by Palo Alto Networks’ Unit 42.
Smart infusion pumps are network-connected medication delivery devices that use a combination of computer technology and drug libraries to administer medications and fluids to patients while limiting the potential for dosing errors.
The research team reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations. Security gaps were detected in 75% of the scanned medical devices.
“These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices,” wrote researchers in a blog post published Wednesday.
Despite the efforts of medical equipment makers, security researchers, cybersecurity vendors and regulators to share information about known vulnerabilities and approaches on how to secure the pumps, researchers found historic flaws on more than half of the devices they scanned.
“One of the most striking findings was that 52% of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019 – one with a “critical” severity score and the other with a “high” severity score,” noted Unit 42.
Tim Erlin, VP of Strategy at cybersecurity company Tripwire, said design played a crucial role in achieving ongoing device security.
“Many connected medical devices simply aren’t designed to be updated once deployed, which makes patching vulnerabilities on deployed devices nearly impossible,” said Erlin.
He added: “The life cycle of a connected embedded device needs to allow for security updates. It’s simply not possible to create an embedded platform that will never have vulnerabilities.”
Erlin called for lawmakers to establish a security standard that medical devices must adhere to.
“With connected medical devices, the market dynamics simply won’t move fast enough to drive the right behavior,” said Erlin.
“Regulation needs to step in to move vendors and providers alike to ensure that the connected devices used for delivering care meet a minimum standard for security. Devices that can’t be updated need to be replaced.”