McAfee Enterprise researchers on Tuesday said they had found multiple vulnerabilities in infusion pump software that, under certain conditions, a skilled hacker could use to alter a patient’s medication dose to a potentially unsafe level.
The vulnerabilities are in equipment made by multinational vendor B. Braun that are used in pediatric and adult health care facilities in the United States.
While there are no reports of malicious exploitation of the flaws, the research illustrates the challenge of securing devices conceived decades ago from 21st-century digital threats. The findings come as the health care sector reckons with a series of ransomware attacks that hit aging hospital computer networks during the pandemic.
Medical devices “remain vulnerable to legacy issues that have persisted for many years and have exceptionally slow update or upgrade cycles,” said Steve Povolny, who heads the Advanced Threat Research team at McAfee Enterprise.
In a statement, B. Braun said the firm disclosed the vulnerabilities, and mitigation steps, to customers and the Health Information Sharing and Analysis Center in May, and that the vulnerabilities affect “a small number of devices utilizing older versions of B. Braun software.” The firm did not provide an estimate of the number of devices affected.
“We strongly disagree with McAfee’s characterization in its post that this is a ‘realistic scenario’ in which patient safety is at risk,” the B. Braun statement continues. “We have a robust vulnerability disclosure program and when vulnerabilities are discovered, our goal is to mitigate potential risks as quickly as possible.”
The research comes with caveats: The attack scenario requires a hacker to first access the local network on which the devices run, and the infusion pumps must be on standby rather than in use.
Medical professionals also monitor doses administered by infusion pumps and are trained to spot irregularities. Nonetheless, Povolny and his colleagues demonstrated how an attacker might stealthily alter the medication doses — with the machine none the wiser.
After gaining access to the infusion pump’s communication module, the McAfee researchers showed how they could inject code into binary files the machine uses to communicate with the pump’s configurations. To cover their tracks, the researchers simply had to reboot the infusion pump, they said, wiping evidence of their commands.
While the latest version of the B. Braun infusion pump blocks the means by which the researchers accessed the pump’s communications module, there are other possible entry points for hackers, according to McAfee Enterprise researchers. B. Braun has yet to issue software updates that fully address the security issues, the researchers said.
A spokesperson for the Food and Drug Administration said the agency had not been informed of the vulnerability disclosure.
“FDA will reach out to the researchers, examine the vulnerability information upon its release, and will coordinate with the medical device manufacturer for a review of the impact assessments so as to determine if potential patient safety concerns exist that may have regulatory implications,” the FDA spokesperson said.
B. Braun, which is based in Pennsylvania, has offices around the world, reported $8.7 billion in sales last year.
As researchers have more closely examined medical equipment for hackable flaws in recent years, the FDA has tried to prod vendors into better security practices.
In 2019, for example, the FDA told patients to switch to more secure models of insulin pumps after researchers showed how a hacker might control the delivery of insulin on a pump made by Medtronic, a major vendor.
A growing number of medical device vendors have set up vulnerability disclosure programs, wherein researcher can report software flaws before bad actors exploit them. But experts say the industry still struggles with promptly applying key software updates.
The McAfee Enterprise research is the latest to point to insecurities in real-time operating systems (RTOS), the software hubs that manage data flow across a network in sectors such as energy and health. BlackBerry last week confirmed that its RTOS, which is popular in infusion pumps, is susceptible to a separate set of denial-of-service vulnerabilities.
UPDATE, 9:26 a.m. EDT: This story has been updated with a statement from the Food and Drug Administration.