Hospital infusion pump could be remotely hijacked with 2 vulnerabilities found


Two flaws were discovered in a workstation used to dock an infusion pump commonly used at hospitals that could allow hackers to remotely hijack and control the device, according to TechCrunch.

Healthcare security firm CyberMDX found the vulnerabilities in the Alaris Gateway Workstation which is manufactured by Becton Dickinson. The infusion pump is not availalbe or sold in the U.S. 

The bugs in the workstations could allow a hacker to install malicious firmware on an infusion pump's onboard computer, which powers, monitors and controls the pumps, the security firm said. The workstation's gateway is run on Windows CE.

Researchers at the security firm said it is possible for a hacker to adjust specific commands on the pump, such as infusion rates, by installing modified firmware. It would also be possible to remotely brick the onboard computer.

One of the vulnerabilities scored a 10 on the Homeland Security's advisory scoring system, the worst score. The second was scored a 7.3 out of 10.

Hospitals should update to the latest firmware available for the Alaris Gateway Workstation to fix the bugs, a spokesperson for Becton Dickinson said. 

"In order for a malicious attacker to alter a pump’s infusion parameters, many prerequisites are required, including access to the hospital network, intimate knowledge of the product and the ability to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE," a Becton Dickinson spokesperson told Becker's. 

Editor's note: This article was updated on June 17 at 4:50 pm CDT. 

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Whitepapers

Featured Webinars