by
John R. Fischer, Senior Reporter | March 21, 2022
Three-quarters of infusion pumps are vulnerable to cyberattacks.
Three-quarters of infusion pumps have security flaws that make them more vulnerable to cyberattacks. In addition, 52% are susceptible to two risks disclosed in 2019, with one ranked as critically severe and the other as highly severe.
This is what Palo Alto Networks' Unit 42, a team of security analysts that research cyberthreats, found when analyzing more than 200,000 pumps on the networks of hospitals and other healthcare organizations that use the company's IoT Security for Healthcare. One or more of some 40 known cybersecurity vulnerabilities and 70 other types of security shortcomings were in 75%.
As network-connected devices, infusion pumps act as a pathway for attackers into hospital networks, which can put the lives of patients at risk and expose sensitive data. “Our discovery of security gaps in three out of four infusion pumps that we reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks," said Unit 42 in a blog post.
Among the vulnerabilities uncovered were leakage of sensitive information, overflow or incorrect access control, and security flaws in IoMT (and IoT) devices and their operating systems that use third-party cross-platform libraries such as network stacks.
Despite efforts from manufacturers, researchers and the government, several issues make infusion pumps easy targets for attackers. Many providers rely on older, legacy models that do not have adequate security measures and insufficiently use network segmentation and best practices for protecting themselves against attacks. Security training for healthcare workers is also not up to par.
Even updating pumps with security updates and features
is a struggle because the task requires locating all units of a fleet and manually implementing the change. Most pumps currently do not support wireless software and firmware updates, according to Juuso Leinonen, a senior project engineer at ECRI. "This can be particularly challenging with security updates that may merit expeditious implementation," he told HCB News in an article last year.
Additionally, large hospitals or clinics can house thousands of infusion pumps. These vast number of devices make recalls long and anxious processes for supply chain managers, clinical engineers and IT security teams. The researchers say they require more than just alerts but strategies and technology with built-in protection that can help secure these devices.
