Medical Device Cybersecurity for Connected Infusion Pumps
Infusion pumps represent 38% of connected hospital medical devices. They’re used extensively for hospitalized patients to help prevent errors in delivering life-saving medications. Because IV pumps are ubiquitous, mission-critical, and interface with patient records, they could be extremely dangerous if compromised by a cyberattack.
In January 2022, a research report by Cynerio, The State of Healthcare IoT Device Security 2022, showed that 73% of IV infusion pumps have at least one cybersecurity vulnerability. In March, Palo Alto Networks Unit 42 released a study of data from more than 200,000 infusion pumps made by seven different manufacturers. The Unit 42 study confirmed Cynerio’s findings, revealing that 75% of medical devices analyzed were affected by one or more vulnerabilities.
The study identified more than 40 individual vulnerabilities and over 70 different security alerts. A cyber attacker could, in theory, exploit these vulnerabilities to eavesdrop on infusion pump communications, disable the devices remotely, or even change the amount and timing of medication dosages.
Both reports underscore the risks associated with infusion pump security. They also offer insight into effective ways to mitigate those risks.
Infusion pump vulnerabilities that hackers look for
Cybercriminals work by searching specific areas that are known to have security flaws. These areas, called the “attack surface,” are targets because they harbor weaknesses that criminals can exploit to gain system access.
The Unit 42 study identified three primary types of infusion pump vulnerabilities:
- Leakage of sensitive information: leaks of operational details, patient-specific data, or device or network configuration credentials
- Unauthorized access and stack overflow: unauthenticated device access and the ability to overwrite code to take control over the device
- Third-party TCP/IC stacks: vulnerabilities found in protocols for rules and standards in-network data communications
These findings are especially concerning because 52% percent of infusion pumps included in the study were susceptible to two known vulnerabilities, categorized as “critical” and “high” severity.
Common causes of infusion pump vulnerability
The FDA has worked hard to address medical device cybersecurity since 2014. In April 2022, the agency released its most recent draft guidance for quality systems and premarket submission content. An FDA discussion paper, Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices, asserts that "it remains critical for healthcare entities to understand the cybersecurity risks they are taking..."
Understanding of those risks is growing, but perhaps not as fast as it should. Despite the recommendations of the FDA and other stakeholders, the Unit 42 study found that the vulnerabilities were primarily linked to organizational failure to implement cybersecurity best practices.
The most common of these issues include:
- The prevalence of insecure passwords: According to the Cynerio report, insecure passwords continue to be the most common medical device security risk. This is due to various factors, including the use of hard-coded or default login credentials, many of which can easily be found in device manuals online.
- Inaction on software updates, patches, and recall recommendations: Patching and updates require time, staff, and resources. Workforce shortages and lack of automated procedures create barriers to responsive action. Despite increased awareness due to FDA medical device recall alerts, challenges with inventory management and organizational infrastructure can lead to inaction on recommendations.
- Inadequate cybersecurity controls: Hospitals may have gaps in basic or advanced security controls. Simple vulnerabilities such as unencrypted files or issues within a facility-wide vulnerability assessment system can result in significant damage.
- The use of legacy systems: The FDA and OEMs have worked together to make “security-by-design” a priority for the growing medical device industry. However, hospitals operate within a complex ecosystem of data, devices, and stakeholders. Legacy devices that weren’t intended for connectivity operate alongside mobile devices designed for the internet of things; third-party TCP/IP stacks, and other tools can’t always account for these discrepancies. Older operating platforms, such as early versions of Windows, remain vulnerable to old malware.
Fortunately, you can take steps to enhance protection against cyber threats targeting infusion pumps and platforms, regardless of age.
Critical tips for enhancing infusion pump cybersecurity
To protect IV infusion pumps from cyber threats, begin by addressing basic and advanced security control gaps. Third-party cybersecurity solutions are worthy investments but be sure to vet potential partners carefully.
- Basic medical device cybersecurity hygiene
The following actions can address some of the simplest vulnerability issues that criminals can easily exploit:
- Change default credentials
- Develop and enforce password policies (14+ characters, restricted access to master lists)
- Configure automatic logoff
- Assign access levels by user privilege tiers
- Reduce attack radius by segmenting IV pump networks
- Ensure firewalls and routers are correctly installed and configured
If possible, use the Lightweight Directory Access Protocol (LDAP) to centralize the management of user accounts.
- Vulnerability assessments
A vulnerability assessment uses defined parameters to identify vulnerabilities across a network and set priorities for risk reduction. The assessment process should include protocols for actions taken to remediate vulnerabilities, such as implementing OEM patches.
- Vulnerability alert management
Systems that offer continuous monitoring of security alerts provide an opportunity to address infusion system anomalies quickly. This can both prevent opportunities for cyber-attacks and identify any live attacks while they’re in progress.
- Investment in infrastructure to implement fixes and address recalls
In the case of a recall due to a cybersecurity issue, all affected medical devices must be identified and located. It’s then essential to comply with all recall recommendations. Hospitals can assign responsibility for alert management and designate ownership of responsive actions to help integrate risk mitigation into staff workflows.
Don’t forget to protect legacy devices
For most health systems, replacing older devices that still function optimally for patient care doesn’t make sense financially. Extending medical device lifespan has a significant effect on capital budgets and ROI. High-quality replacement parts and BMET training help keep older infusion pumps safe and effective for patient care. Likewise, investing in sustainable systems for cybersecurity compliance protects devices-and patients-from cyber threats.
Secure your legacy equipment by:
- Segmenting networks to isolate legacy operating systems
- Limit system access to critical data and services
- Conducting regular vulnerability scans
- Schedule inventory audits in connection with vulnerability scans
- Automating patches and software updates
Training staff on best practices and risk remediation protocols is one of the best ways to protect all infusion pumps from ransomware and other types of cyberattacks. Stress the importance of reporting anything atypical or abnormal.
Collaboration is key to mitigating medical device cybersecurity risks
Cybersecurity vulnerabilities in infusion pumps, and other medical devices, pose serious threats to hospitals and patients. Not only are cyberattacks costly to a hospitals’ reputation and bottom line, but also a serious threat to patient safety.
To mitigate cybersecurity threats, hospitals and health systems must encourage collaboration between IT, HTM, BMETs, clinical staff, risk management, and administration.