Skip to main content
close search
site logo
Dive Brief

DHS warns of severe security flaw with BD infusion pumps

Published June 14, 2019
By
Contributor
Kendall, Industry Dive

Dive Brief:

  • The Department of Homeland Security (DHS) warned Thursday of a severe security vulnerability affecting some Becton Dickinson infusion pumps.

  • DHS gave the BD Alaris Gateway Workstation weakness the maximum score on a standard vulnerability scale. The score reflects the lack of authentication required to access the device and upload malicious files.

  • A hacker that exploited the vulnerability could adjust the infusion rate or stop a device from working, putting the patient at risk, but BD has not received any reports of this happening.

Dive Insight:

The DHS notice flags two weaknesses concerning infusion pumps running on older firmware. The biggest problem is that the devices do not restrict upload of malicious files during firmware updates.

No authentication is required to access the Alaris Gateway Workstation. If a hacker gained access to the hospital network, they could update and manipulate a file to affect the functioning of the infusion pump. In theory, the hacker could alter the infusion rate, causing a patient to get far too much or too little of a medication.

BD said this is unlikely to happen because it would require a highly trained hacker to perform steps in a specific order. Some of those steps, such as the file manipulation, are complex but the fact that the device lacks authentication protection led the DHS to class it as a low skill level vulnerability

The second problem scored lower on the vulnerability scale, 7.3 as opposed to 10.0. That weakness could allow a hacker to access the web browser user interface. BD said no patient information is stored on the interface "by default" but a hacker could view information including event logs and change the network configuration of the workstation.

BD is advising users to mitigate the firmware threat by blocking a client-server communication protocol used for sharing access to files. The company has developed an additional response, too, and will share details within 60 days.

None of the pumps are sold in the U.S. but they are well established in other territories, including Asia and Europe. BD lists the Alaris pumps among the principal products it sells outside of the U.S. The weaknesses were identified by CyberMDX, a healthcare cybersecurity company that raised $10 million last year.

The discovery of the weaknesses marks the fourth time BD's Alaris line of products has been the subject of cybersecurity notices from DHS. One of the prior vulnerabilities received almost as high a score as the new firmware problem.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell