Data from over 200,000 network-connected infusion pumps have shown that more than 3 out of 4 of the hospitals’ medical devices have security vulnerabilities. In short, more than 75% of medical devices are vulnerable to potential exploitation, which was appraised by the security analysts at Unit 42.
Here the most alarming thing that has been noted is that among the 75% of scanned devices, more than 52.11% of devices are vulnerable to two critical vulnerabilities that were initially identified in 2019.
The two critical vulnerabilities that are identified in 2019 are mentioned below:-
Here’s what one of the security researchers of Unit 42, Aveek Das stated:-
“These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”
Infusion Pump Vulnerabilities
In total there are 10 vulnerabilities has been detected by the Palo Alto Networks that are affecting the Infusion Pumps, and here they are mentioned below:-
- CVE-2019-12255: It’s a buffer overflow flaw in the TCP component of Wind River VxWorks with a CVSS score of 9.8.
- CVE-2019-12264: It’s an issue with incorrect access control in the DHCP client component of Wind River VxWorks with a CVSS score of 7.1.
- CVE-2016-9355: It’s an unauthorized user with physical access to an Alaris 8015 Point of Care unit may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory with a CVSS score of 5.3.
- CVE-2016-8375: It’s a credential management error in Alaris 8015 Point of Care units that could be exploited to gain unencrypted wireless network authentication credentials and other sensitive technical data with a CVSS score of 4.9.
- CVE-2020-25165: It’s an improper session authentication vulnerability in Alaris 8015 Point of Care units that could be abused to perform a denial-of-service attack on the devices with a CVSS score of 7.5.
- CVE-2020-12040: It’s a cleartext transmission of sensitive information in Sigma Spectrum Infusion System with a CVSS score of 9.8.
- CVE-2020-12047: It’s a use of hard-coded FTP credentials in Baxter Spectrum WBM with a CVSS score of 9.8.
- CVE-2020-12045: It’s a use of hard-coded Telnet credentials in Baxter Spectrum WBM with a CVSS score of 9.8.
- CVE-2020-12043: It’s a Baxter Spectrum WBM FTP service that remains operational after its expected expiry time until it’s rebooted with a CVSS score of 9.8.
- CVE-2020-12041: It’s a Baxter Spectrum Wireless Battery Module (WBM) that permits data transmission and command-line interfaces over Telnet with a CVSS score of 9.8.
What if a vulnerability in the hospital’s security measures resulted in the patient’s valuable information being leaked? This could be used to the attacker’s advantage, potentially allowing the hacker to gain unauthorized access to the device by exploiting already present flaws.
As the cybersecurity analysts at McAfee, last year discovered potentially hazardous vulnerabilities in a widely used medical pump that could potentially be exploited by the threat actors to tamper with infusion pumps and medication doses without any authentication.
The cybersecurity analysts have recommended some security strategies and here they are:-
- Accurate discovery and inventory
- Holistic risk assessment
- Apply risk reduction policies
- Prevent Threats
This event depicts that there is an urgent need for healthcare to tighten its defenses with infusion pumps and hospital networks.