US DHS warns of vulnerabilities in Smiths Medical Medfusion 4000 infusion pump

The US Dept. of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team has released a warning over issues with Smiths Medical’s Medfusion 4000 wireless syringe infusion pump after discovering 8 cybersecurity vulnerabilities in the device.

The notice is for versions 1.1, 1.5 and 1.6 Medfusion 4000 wireless syringe infusion pumps, according to the DHS notice.

Vulnerabilities include 3rd party components which could cause crashes or allow remote code to be used on the devices, and issues with the device’s wireless and wired network configuration and credentials.

The DHS said that the vulnerabilities can be exploited remotely, though there have been no reports of anyone trying to exploit them.

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” the DHS warned. “Impact to individual organizations depends on many factors that are unique to each organizations. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”

The agency said that Smiths Medical had released recommendations for protecting from the vulnerability, including assigning static IP addresses to the devices, monitoring network activity and engaging in micro segmentation and virtual local area networks as well as appropriate password hygiene and backups.

The company is planning to release a new product version to address the vulnerabilities next January.

“The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions. We have been engaged with the FDA Center for Devices and Radiological Health and the U.S. Department of Homeland Security’s Industrial Control System – Computer Emergency Response Team (ICS-CERT) to resolve this issue,” Smiths Medical wrote in a statement on the vulnerability.

Late last month, Smiths Medical said it won 510(k) clearance from the FDA for its CADD-Solis wireless ambulatory infusion pump.