The U.S. Department of Homeland Security (DHS) recently issued a warning that Smiths Medical Medfusion 4000 wireless syringe infusion pumps contain a security vulnerability that can be exploited by hackers to alter the performance of the medical devices.
The devices are used to infuse small doses of medication to patients and are used in acute care settings. Eight different vulnerabilities have been identified in pump versions 1.1, 1.5 and 1.6. According to DHS, hackers can exploit the vulnerabilities remotely, which can cause harm to patients, and can be used to gain access to other healthcare information technology systems if they are not segmented on the healthcare organization’s network.
Smiths Medical is working with DHS to resolve the flaws in its new version, which will be released in January of 2018. Until then, Smiths recommends the following:
- “Assign static IP addresses to the Medfusion 4000 Wireless Syringe Infusion Pump.
- Monitor network activity for rogue DNS and DHCP servers.
- Ensure network segments which the Medfusion 4000 medical infusion pumps are installed are segmented from other hospital and clinical information technology infrastructure.
- Consider network micro segmentation.
- Consider use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
- Apply proper password hygiene standards across systems (i.e., use uppercase, lowercase, special characters, and a minimum character length of eight).
- Do not re-use passwords.
- Routinely take backups and perform routine evaluations.”
In the guidance, IS-CERT states:
“ICS-CERT reminds organizations to perform proper impact analysis and risk assessment by examining their specific clinical use of the pump in the host environment. NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users:
- Can evaluate the possibility of temporarily disconnecting the pump from the network until the product fix can be applied. Disconnecting the pump from the network would minimize the attack surface and reduce the risk of exploitation. If the pump were disconnected, it would have an operational impact, which would include preventing the pump from receiving drug library updates from the PharmGuard Server. This would require changes to the drug library to be manually input by clinical staff. According to Smiths Medical, disconnecting the pump from the network does not impact the clinical functionality of the pump. If network access is required, users should ensure that Port 20/FTP, Port 21/FTP, and Port 23/Telnet are closed.
- Ensure that the FTP server on the pump is not enabled. If the FTP server is enabled, it should be disabled. Disabling the FTP server will have operational impacts, which should be evaluated.
- Ensure that all unused ports are closed on the affected devices to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET.”
- Monitor and log all network traffic attempting to reach the affected products, to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET.
- Isolate the affected products from the Internet and all untrusted systems.
- Organizations should follow good network design practices that include network separation and segmentation; use DMZs with properly configured firewalls to selectively control traffic; and monitor traffic passed between zones and systems to identify anomalous activity.
- Locate all medical devices and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that any VPN is only as secure as the connected devices.