Palo Alto Network’s Unit 42 released results from a study showing that 75% of infusion pumps observed had known cybersecurity gaps.
The results involved crowdsourced data from scans of more than 200,000 infusion pumps on the network of health providers using IoT Security for Healthcare from Palo Alto Networks.
Vulnerabilities observed in the study included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT (internet of things) devices.
More than half (52%) of all infusion pumps scanned were susceptible to two known vulnerabilities disclosed in 2019. One had a “critical” severity score, and the other had a “high” severity score.
Among the infusion systems listed in the study was the BD Alaris system. It’s seen several recalls over the years, with BD beginning remediation for software issues last year. The company originally disclosed vulnerabilities for Alaris in 2017, 2019 and 2020.
Today, BD confirmed that it posted security bulletins about the use of hardcoded credentials in specific BD Pyxis medication management systems, BD Rowa pouch packaging systems and the BD Viper LT tabletop analyzer for molecular diagnostic testing.
BD said that hardcoded credentials aren’t used directly by customers or end-users to access the affected systems. For the vulnerability to be exploited, an unauthorized user would need to gain access to the hardcoded credentials, infiltrate the facility’s network and/or gain access to individual devices and bypass additional security controls.
The company has received no reports of exploitation of the vulnerability in a clinical setting but, for maximum awareness, had voluntarily reported it to the FDA and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Reports, for example, went to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).