Security Gaps in 150,000 Infusion Pumps Makes Them Vulnerable to Hacking: Report

Medical device manufacturers have done little to close cybersecurity gaps in infusion pumps and other vulnerable machines, even after years of experts warning about hacking risks

Despite years of cybersecurity warnings issued by federal safety officials, a recent report indicates serious security gaps exist in 75% of patient-critical machinery used to deliver medications and fluids to patients, leaving the devices vulnerable to hackers.

The multinational cybersecurity company, Palo Alto Networks, released the findings of their medical device cybersecurity report earlier this month, which warned that the majority of infusion pumps currently in use at healthcare facilities across the U.S. have security gaps that put them at increased risk of being hacked.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. DHS has warned that if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk or injury or death.

One of the most commonly identified medical devices with high security are infusion pumps, which are networked machines that deliver fluids and drugs in controlled doses, such as insulin for diabetics and pain medication for cancer patients.

The cybersecurity group reviewed crowdsource data from scans of more than 200,000 infusion pumps currently networked and in-use at hospitals or healthcare settings across the United States, using IoT Security for Healthcare.

The scans revealed 40 different vulnerabilities, and over 70 different security alerts among all infusion pumps. Of the 200,000 pumps scanned, 75% contained major vulnerabilities to at least one of the 110 identified and known security threats which could allow hackers to compromise the infusion pump’s functionality.

Moreover, the group discovered 52% of the infusion pumps scanned were susceptible to two serious vulnerabilities that have been disclosed since 2019, one of which the report warns comes with a critical 9.8 out of 10 severity score while the other had a 7.1 severity score. The report further found that more than 30,000 infusion pumps scanned contained five critical 9.8 severity score threats against them.

Medical Device Cybersecurity Risks To Patients

Cybersecurity threats in the medical field have been a growing concern over the last decade, as an increasing number of medical devices contain major vulnerabilities or run on unsupported operating systems, which could expose users to life-threatening risks.

In a 2018 demonstration at Defcon, a large annual hacker convention in Las Vegas, Nevada, McAfee researchers hacked into a central patient monitoring station to show that it could be done from a great distance away if the hospital’s system was connected to the internet and contained vulnerabilities.

The demonstration was put on only two years after a number of U.S. hospitals were hacked, at which time the systems were infected with malware that stopped staff from being able to communicate with their computers. As a result of the cybersecurity problems, some hospitalized patients had to be moved abruptly, which may have impacted care.

Following the incident, the FDA released a cybersecurity postmarket guidance in October 2019, recommending medical device manufacturers conduct risk assessments to develop risk mitigation plans as they develop new devices. Device manufacturers were also being encouraged to work with operating system vendors to identify available patches and other recommended mitigation methods.

In 2019, the FDA issued a safety communication about vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

Later the same year in November, Medtronic issued a second Medtronic MiniMed insulin pump recall after the manufacturer identified someone other than the patient or healthcare provider could remotely change insulin delivery settings and alter glucose level data, potentially leading to life threatening conditions such as the development of severe hypoglycemia or high blood sugar and diabetic ketoacidosis.