The Department of Homeland Security (DHS) warned Thursday of a severe security vulnerability affecting some Becton Dickinson infusion pumps.
DHS gave the BD Alaris Gateway Workstation weakness the maximum score on a standard vulnerability scale. The score reflects the lack of authentication required to access the device and upload malicious files.
A hacker that exploited the vulnerability could adjust the infusion rate or stop a device from working, putting the patient at risk, but BD has not received any reports of this happening.
The DHS notice flags two weaknesses concerning infusion pumps running on older firmware. The biggest problem is that the devices do not restrict upload of malicious files during firmware updates.
No authentication is required to access the Alaris Gateway Workstation. If a hacker gained access to the hospital network, they could update and manipulate a file to affect the functioning of the infusion pump. In theory, the hacker could alter the infusion rate, causing a patient to get far too much or too little of a medication.
BD said this is unlikely to happen because it would require a highly trained hacker to perform steps in a specific order. Some of those steps, such as the file manipulation, are complex but the fact that the device lacks authentication protection led the DHS to class it as a low skill level vulnerability
The second problem scored lower on the vulnerability scale, 7.3 as opposed to 10.0. That weakness could allow a hacker to access the web browser user interface. BD said no patient information is stored on the interface “by default” but a hacker could view information including event logs and change the network configuration of the workstation.
BD is advising users to mitigate the firmware threat by blocking a client-server communication protocol used for sharing access to files. The company has developed an additional response, too, and will share details within 60 days.
None of the pumps are sold in the U.S. but they are well established in other territories, including Asia and Europe. BD lists the Alaris pumps among the principal products it sells outside of the U.S. The weaknesses were identified by CyberMDX, a healthcare cybersecurity company that raised $10 million last year.
The discovery of the weaknesses marks the fourth time BD’s Alaris line of products has been the subject of cybersecurity notices from DHS. One of the prior vulnerabilities received almost as high a score as the new firmware problem.