Hospital infusion pump could be remotely hijacked with 2 vulnerabilities found

Mackenzie Garrity - Print  | 

Two flaws were discovered in a workstation used to dock an infusion pump commonly used at hospitals that could allow hackers to remotely hijack and control the device, according to TechCrunch.

Healthcare security firm CyberMDX found the vulnerabilities in the Alaris Gateway Workstation which is manufactured by Becton Dickinson. The infusion pump is not availalbe or sold in the U.S. 

The bugs in the workstations could allow a hacker to install malicious firmware on an infusion pump's onboard computer, which powers, monitors and controls the pumps, the security firm said. The workstation's gateway is run on Windows CE.

Researchers at the security firm said it is possible for a hacker to adjust specific commands on the pump, such as infusion rates, by installing modified firmware. It would also be possible to remotely brick the onboard computer.

One of the vulnerabilities scored a 10 on the Homeland Security's advisory scoring system, the worst score. The second was scored a 7.3 out of 10.

Hospitals should update to the latest firmware available for the Alaris Gateway Workstation to fix the bugs, a spokesperson for Becton Dickinson said. 

"In order for a malicious attacker to alter a pump’s infusion parameters, many prerequisites are required, including access to the hospital network, intimate knowledge of the product and the ability to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE," a Becton Dickinson spokesperson told Becker's. 

Editor's note: This article was updated on June 17 at 4:50 pm CDT. 

More articles on cybersecurity:
Quest Diagnostics hit with class-action lawsuit following 11.9 million-patient data breach
Humana alerts 5,500 members after hackers posed as physicians and exposed patient data
4 common cyberattacks hospitals may encounter — Hackers stealing physician identities is one

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.