3 in 4 infusion pumps vulnerable to cyberattacks: study

As many as 75% of infusion pumps connected to hospital networks may be vulnerable to digital attacks, potentially putting patients at risk or exposing private data, according to a report from a group of cybersecurity researchers.

Palo Alto Networks and its Unit 42 Threat Intelligence team used crowdsourced data from scans of more than 200,000 smart infusion pumps and discovered 3 in 4 had known security gaps. 

Some of these vulnerabilities could allow an attacker to remotely intercept unencrypted communications from the device or permit an unauthorized person to change how the pump delivers intravenous medications. Other attempts may be less likely and would only be exploited by someone with physical access to the machine.

Altogether, the company’s report identified more than 40 direct cybersecurity flaws. It listed some of the most common issues—with each traced back to more than half of the vulnerable pumps analyzed—as having been publicly documented since 2016 or 2019. At the same time, many devices had one or more of about 70 types of known security shortcomings associated with Internet of Things hardware. 

Some of the most commonly observed weaknesses related to leaving usernames and passwords unchanged from the device’s default factory settings—what Palo Alto Networks charitably described as a “security no-no.” These login credentials can be easily found in product manuals available online.

And while the FDA and manufacturers have worked to set cybersecurity standards for medical devices as well as to offer software updates and recall affected infusion pumps, the researchers said failures to implement best practices and insufficient security training for healthcare workers remain contributing factors.

In addition, “the average infusion pump has a life of eight to 10 years, which means the widespread use of legacy equipment has hampered efforts to improve security,” they wrote.

More broadly, late last year the FDA alerted medtech manufacturers to the hacking risk discovered within the widely used Apache Log4j tool, which has been described as one of the largest and most critical vulnerabilities of the last decade. 

According to industry estimates, more than 90% of all enterprise cloud software environments were vulnerable to the flaw, and the agency said it may also allow an unauthorized user to remotely impact the safety and effectiveness of medical devices.

As of December 2021, no cases of patient harm had been reported to the FDA, but the agency suggested manufacturers assess and secure their own software and also evaluate any third-party systems connected to their own platforms.