Palo Alto Networks Unit 42 researchers discovered that 75% of medical infusion pumps suffered from known security vulnerabilities, risking patients’ lives and sensitive information.
The researchers made the “striking findings” after analyzing crowdsourced data from over 200,000 infusion pumps using Palo Alto’s IoT Security for Healthcare framework.
They found that the devices suffered from at least one or more of 40 known cybersecurity vulnerabilities and/or alerts of having at least one of 70 other types of known security shortcomings for IoT.
The security researchers highlighted the need for the healthcare industry and other players to double their efforts to protect against known vulnerabilities and follow security best practices.
52% of medical infusion pumps suffer from critical and high severity security vulnerabilities.
Unit 42 researchers attempted to understand how healthcare providers secure network-connected smart infusion pumps that administer fluid directly to patients.
They grouped the security vulnerabilities into three categories namely, leakage of sensitive information, unauthorized access and overflow, and third-Party TCP/IP flaws.
The researchers discovered that more than half (52%) of all the infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019.
Additionally, each had at least one security vulnerability with a “critical” severity score and another with a “high” severity score.
Leakage of sensitive information is the biggest security risk
The study found that leakage of sensitive information is the biggest security risk facing medical infusion pumps and other internet of medical things (IoMT) devices.
Such devices could leak patient-specific data, operational information, or device or network configuration credentials.
For example, remote attackers could leverage CVE-2020-12040 vulnerability to intercept cleartext communication between medical infusion pumps and servers via man-in-the-middle attacks.
Similarly, local attackers with physical access to medical infusion pumps could access sensitive information by leveraging CVE-2016-9355 and CVE-2016-8375 security vulnerabilities.
Additionally, overflow and unauthorized access security vulnerabilities could grant access to unauthenticated users. The problem was compounded by the use of default credentials which are available online.
Similarly, these vulnerabilities could allow medical devices to accept traffic that could make the device unresponsive disrupting patient care.
In 2021, McAfee discovered security vulnerabilities in two B. Braun medical infusion pumps that could allow hackers to administer lethal doses.
Similarly, medical device manufacturers recalled at least seven medical infusion pumps and/or their components in 2021 and at least nine others in 2020.
The researchers also noted that most IoMT devices use third-party libraries and network stacks, introducing new vulnerabilities like CVE-2019-12255 and CVE 2019-12264.
They noted that common alerts present on most devices could suggest various security weaknesses such as default security credentials.
“Overall, most of the common security alerts raised on infusion systems indicate avenues of attacks that the device owner should be aware of, for example, via internet connections or default username and password usage,” they wrote.
Luckily, there is a “vast array of information” about known security vulnerabilities and how to secure medical infusion pumps, thanks to more than a decade worth of research.
Challenges with securing IoMT devices
“Many connected medical devices simply aren’t designed to be updated once deployed, which makes patching vulnerabilities on deployed devices nearly impossible,” Tim Erlin, VP of Strategy at Tripwire. “The life cycle of a connected embedded device needs to allow for security updates. It’s simply not possible to create an embedded platform that will never have vulnerabilities.”
Erlin recommended more regulatory actions to make healthcare providers and vendors meet the minimum security standards. Additionally, they should remove or withdraw devices that cannot be updated.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, says medical devices have a poor record in providing “simple and timely” patching mechanisms.
“It’s not uncommon to find diagnostic or testing equipment in healthcare environments running ancient versions of software such as WindowsXP embedded,” Clements said.
“Worse, there is often no supported mechanism from the original manufacturer, and that’s assuming they are still in business. There’s a similar issue with medical devices that incorporate computer-controlled or other “smart” features.”
Clements noted that many medical devices cannot be serviced by end-users or healthcare providers, making patients completely dependent on manufacturers.
“Unfortunately, medical devices are often insecure, despite frequent warnings from cybersecurity professionals,” noted Erich Kron, Security Awareness Advocate at KnowBe4. “In some cases, the medical facilities underestimate how easily these vulnerabilities can be exploited by bad actors.
“In others, they simply don’t feel that a bad actor would target medical equipment, and in even other cases, the device manufacturers have not provided patches to deal with these vulnerabilities. There is also the issue of tracking down the devices to patch them.”
Kron noted that some medical devices like stethoscopes move to different locations, making it difficult to track them. Additionally, the risk of devices malfunctioning and becoming inoperable after patching raises concerns.
“All of these issues add up to a challenging situation that leaves vulnerable equipment floating around facilities all around the globe,” Kron said.