Drug Infusion System Flaw Could Lead to AttackManufacturer BD and CISA Issue Warnings
Medical device maker Becton Dickinson and federal authorities have issued alerts concerning an authentication weakness that, if exploited, could result in a denial-of-service attack on certain models of the BD Alaris PC Unit drug infusion and monitoring system.
Nov. 12 alerts issued by BD and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency say that an improper authentication vulnerability discovered by a security researcher is exploitable remotely with a low skill level.
BD says, however, that it's received no reports of exploits of this vulnerability.
The affected products include the BD Alaris PC Unit, Model 8015, versions 9.33.1 and earlier, and the related BD Alaris Systems Manager, versions 4.33 and earlier, which are patient drug infusion and monitoring products.
"BD has been made aware of a network session vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager," the company says in its alert. "If exploited, this vulnerability could allow an unauthorized user to establish a direct networking session between the two products."
To exploit this vulnerability, an unauthorized user would need access to the customer's wireless network, redirect the BD Alaris PC Unit's authentication requests with a custom code and complete an authentication handshake based on the information extracted from the authentication requests, the company says.
"If exploited, an unauthorized user could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit."
In the event of such an attack, the Alaris PC Unit would continue to function as programmed, BD notes. "However, network-based services, such as pre-populating the Alaris PC Unit with infusion parameters through electronic medical record interoperability or wirelessly updating the Alaris System Guardrails, would not be available."
BD says it's addressing the vulnerability through upcoming versions of BD Alaris PC Unit and BD Alaris Systems Manager software.
"As part of our normal server upgrades, over 60% of Systems Manager installations have already been updated to a version that addresses this security vulnerability," BD notes.
In the meantime, BD recommends several mitigations and compensating controls to help reduce the risks associated with the vulnerability. These include users implementing firewall rules as recommended by BD.
The recent warnings concerning the BD products serve as an important reminder about medical device security risks in the healthcare sector, especially in light of the surge in ransomware and other cyberattacks directed at hospitals during the COVID-19 pandemic, some experts say (see: U.S. Hospitals Warned of Fresh Wave of Ransomware Attacks).
"Robust cybersecurity across IoT in general and medical devices specifically has not been a priority in the past for the manufacturers," says former healthcare CISO Mark Johnson of the security consultancy LBMC Information Security.
While the warnings about the BD product vulnerabilities are "somewhat worrisome," other recent government alerts about ransomware targeting healthcare providers as they deal with surging numbers of COVID-19 cases are "more worrisome," Johnson says.
"The good news for medical devices is that cybersecurity is becoming more of a priority, and alerts like these and others will continue to help underscore the need for that change in the industry."
In its alert, BD notes that a successful denial-of-service attack on the affected devices would result in users having to manually operate the system.
With so many hospitals busy dealing with COVID-19 cases, having to resort to manual operation of any medical devices could potentially result in delays and disruptions to patient care, says Carrie Whysall, director managed security services at consultancy CynergisTek.
But she notes that for the BD devices, "fortunately, manually programming of the pump is not a very time-consuming process. Most clinical users have received proper education pertaining to the processes and procedures of manually programming. Understandably, when dealing with situations like COVID, this heightens the risk, stress and utilization of the clinical users and the devices."
When it comes to potential denial-of-service attacks impacting medical devices, patient safety is a top concern, she notes. "If this were to become wide-scale among the fleet of infusion pumps within the organization, the manual process of programming a pump could have significant impacts on our clinical users during this time," she says.
"The integration and interoperability between systems is a safeguard, a method to ensure that the right patient receives the right medication, the correct dosage and it is properly tracked. When a denial-of-service attack hinders this safeguard, we have a patient safety concern."