Fed agency alert says Alaris Gateway could compromise pumps

The Department of Homeland Security is warning of vulnerabilties in BD Alaris Gateway workstations that could enable hackers to manipulate them remotely.

The federal agency says security weaknesses in the devices could allow outside agents to disable the device, install malware or report false information, and even take over infusion pumps, the U.S. Department of Homeland Security has announced.

According to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the vulnerabilities discovered by cybersecurity vendor CyberMDX could—in extreme cases—enable a hacker to communicate directly with pumps connected to gateways to alter drug dosages and infusion rates.

1. HDM 1120 AdobeStock_102215947.jpeg
Photo of IV drip intravenous infusion pump medical equipment in a hospital room

Homeland Security, BD Alaris and CyberMDX collaborated to assess the extent of the risk and express that risk in terms of a baseline Common Vulnerability Scoring System, known as CVSS, with sobering results.

The Alaris Gateway firmware was found to have a CVSS score of 10.0, which is deemed to be critical. Further, vulnerability within the web browser user interface of the Alaris Gateway Workstation had a CVSS risk score of 7.3, which is considered to be high.

Also See: NIST offers guidance for securing wireless infusion pumps

Alaris Gateway Workstations are used to provide mounting, power and communication support to infusion pumps, and these devices are then used to support treatment therapies that could include fluid therapy, blood transfusions, chemotherapy, dialysis and anesthesia.

Cyber MDX further has discovered that the Alaris workstations are vulnerable to an exploit that could remotely manipulate firmware files. This is an attack that requires no special privileges to execute, according to the vendor. This attack also can enable hackers to manipulate gateway communication with connected infusion pumps, and, for some infusion models, hackers could prevent administration of life-saving treatment or alter intended drug dosages.

“Identifying, quantifying and prioritizing medical device security vulnerabilities requires constant vigilance,” says Elad Luz, the head of research at CyberMDX. “The onus for medical device security lies across all stakeholders.”

More information on firmware vulnerabilities is available here.

More information on Web management vulnerabilities is available here.

For reprint and licensing requests for this article, click here.