BD issues cybersecurity alert for hacking risk found in Alaris infusion pump monitoring software

A vulnerability found in software used to monitor some of BD’s infusion pumps could potentially give hackers access to personal data stored in the system.

BD posted a cybersecurity bulletin about the issue Thursday and said it has already notified the FDA and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), among other relevant authorities, about the potential threat.

According to the alert, the vulnerability affects only the company’s Alaris Infusion Central software—rather than the infusion pumps themselves—which is not distributed in the U.S. The software is installed on a hospital computer and linked to Alaris Plus and Alaris neXus pumps. It allows clinicians to monitor data sent from the devices, which are used to control the delivery of medications, nutrients and other fluids to patients via IV.

The alert comes after BD discovered that in certain versions of the software, the password used for database installation could be recovered fairly easily; in a notice of its own, CISA graded the vulnerability as having “low attack complexity.”

Though the Alaris Infusion Central database doesn’t store patient health data, according to BD, hospitals using the software may choose to store other personal information in the database—which could then be accessed and tampered with by a hacker who is able to recover the system password.

BD assigned the hacking risk a score of 7.3 out of 10 on the Common Vulnerability Scoring System, denoting a “high” severity. The software flaw didn’t reach the “critical” risk threshold of the rating system, because, while it could potentially result in a “high impact to confidentiality and integrity” and “partial impact to availability of data,” per the devicemaker, it’s limited by the fact that a hacker would need to have local access to a hospital’s own operating system and server to reach the software.

Despite the potential risks, BD concluded from its own assessments that “there is a low probability of harm occurring,” especially because the software is only used to track infusion pump data and can’t be used to alter the settings of connected devices.

The company said it is in the process of contacting all affected healthcare providers to “initiate remediation.” In the meantime, those using the software should regularly change their database passwords and ensure that only authorized users have access to the server. BD has also revised the installation procedure for the software to protect future users from opening up the hacking risk.

Though this vulnerability relates only to the software used to monitor infusion pumps, the pumps themselves are particularly vulnerable to other attacks. A study published last year found that as many as 75% of the devices could be at risk of being hacked, potentially allowing malicious actors to access the pumps’ data and even reconfigure their settings.

BD hasn’t been immune to those risks. In December, it put out another cybersecurity bulletin describing the possibility that several models of its BodyGuard infusion pumps could be broken into—though only by hackers with physical access to the pumps. That concern was given a “medium”-severity Common Vulnerability Scoring System score of 5.3.