The U.S. Department of Homeland Security issued a warning Sept. 7 notifying health facilities of potential security flaws in several versions of the MedFusion 4000 Wireless Syringe Infusion Pump manufactured by Plymouth, Mass.-based Smiths Medical.
The notice, issued by the USDHS' Industrial Control Systems — Cyber Emergency Response Team, cited eight separate flaws in several versions of the device that may allow hackers to "gain unauthorized access and … may be possible for an attacker to compromise the communications module and therapeutic module of the pump." However, the USDHS acknowledged there have been no "known public exploits" explicitly targeting the device's vulnerabilities.
Smiths Medical issued a statement about the device Sept. 7, stating the potential risk of exploitation in a clinical setting is "highly unlikely [because] it requires a complex and an unlikely series of conditions" to be met before the device could be compromised and abused.
The manufacturer also said it plans to roll out a software security update by January 2018 to resolve the issue and protect against future cybersecurity exploits.
The MedFusion wireless infusion pump is used to deliver small doses of medication in acute care settings. Smiths Medical officials said the product is used in various healthcare settings worldwide.
The vulnerabilities were initially discovered by an independent security researcher.
To view ICS-CERT's security notice, click here.