• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Advertise
  • Subscribe

Drug Delivery Business

  • Clinical Trials
  • Research & Development
  • Drug-Device Combinations
  • FDA
  • Pharmaceuticals
  • Policy

DHS warns again on cybersecurity flaw in BD’s Alaris infusion pump

June 14, 2019 By Danielle Kirsh

BD logoThe U.S. Homeland Security Dept. yesterday warned of two more cybersecurity vulnerabilities with the Alaris infusion pump made by Becton, Dickinson (NYSE:BDX).

The DHS Industrial Control Systems Cyber Emergency Response Team, acting on weaknesses unearthed by researchers at CyberMDX, said the vulnerabilities could allow a malicious attacker to completely disable BD’s Alaris Gateway Workstation and install malware or report false information. The attacker could also exploit the flaw to communicate directly with the pumps to change drug dosages and infusion rates, ICS-CERT said.

DHS issued an advisory in August 2018 warning consumers that the Alaris syringe pumps could be hacked when connected to a terminal server. The company said at the time that that vulnerability could not be exploited if it was connected to an Alaris Gateway Workstation.

CyberMDX researchers said that the Alaris Gateway Workstations are vulnerable to a new exploit that could remotely manipulate firmware files. No special privileges are needed to execute the attack, meaning hackers can freeze the system until it is repaired by the manufacturer. A hacker could also use the gateway to prevent the administration of life-saving treatment and alter intended drug dosages.

CyberMDX and the U.S. Department of Homeland Security tested and validated the vulnerabilities before being confirmed by BD. The Alaris Gateway firmware was found to have a Common Vulnerability Scoring System (CVSS) risk score of 10.0 (critical). The vulnerability in the system’s web browser user interface of the workstation had a CVSS risk score of 7.3 (high).

“Identifying, quantifying and prioritizing medical device security vulnerabilities requires constant vigilance. Our goal is to discover and help remedy critical vulnerabilities before they are exploited to adversely affect patient care,” Elad Luz, head of research at CyberMDX, said in a press release. “The onus for medical device security lies across all stakeholders – the device manufacturers, healthcare providers and technology companies — and CyberMDX’s cybersecurity research team is committed to working with all these parties to make hospitals safer and medical equipment more reliable.”

Alaris Gateway Workstations offer mounting, power and communication support to infusion pumps, which are used in a number of therapies, including fluid therapy, blood transfusions, chemotherapy, dialysis and anesthesia.

The company’s firmware vulnerability was given a severity score of 10 out of 10.

BD recommended using the latest firmware versions 1.3.2 or 1.6.1 for the Alaris Gateway Workstation Web Browser User Interface vulnerability. The company also suggested that users should make sure only appropriate associates can access their network and users should isolate their networks from untrusted systems. BD recommended blocking the SMB protocol and segregate their VLAN network for the Alaris Gateway Workstation Dangerous File Upload vulnerability.

Filed Under: Hospital Care, Regulatory/Compliance Tagged With: BD, Becton Dickinson

IN CASE YOU MISSED IT

  • Glucotrack to effect a reverse stock split
  • Medtronic unveils ‘MiniMed’ as name for soon-to-be separated Diabetes unit
  • Insulet, Marvel collab to unveil comic book hero with type 1 diabetes
  • Insulet rolls out new Omnipod 5 iPhone app for use with Dexcom G7
  • Tandem, Abbott strike deal to pair insulin pumps with glucose-ketone monitor

About Danielle Kirsh

Danielle Kirsh is an award-winning journalist and senior editor for Medical Design & Outsourcing, MassDevice, and Medical Tubing + Extrusion, and the founder of Women in Medtech and lead editor for Big 100. She received her bachelor's degree in broadcast journalism and mass communication from Norfolk State University and is pursuing her master's in global strategic communications at the University of Florida. You can connect with her on Twitter and LinkedIn, or email her at dkirsh@wtwhmedia.com.

Primary Sidebar

“ddb
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest news and trends happening now in drug delivery.

MEDTECH 100 INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.

Footer

Drug Delivery Business News Logo

MassDevice Medical NETWORK

MassDevice
DeviceTalks
Medical Tubing + Extrusion
Medical Design & Outsourcing
MedTech100 Index
Drug Discovery & Development
Pharmaceutical Processing World
Medical Design Sourcing
R&D World

DRUG DELIVERY BUSINESS NEWS

Subscribe to Drug Delivery’s E-Newsletter
Advertise with us
About
Contact us
Privacy
Listen to our Weekly Podcasts

Copyright © 2025 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy | RSS