Privacy & Security

Severe hackable flaws found in Smiths Medical Medfusion 4000 devices, feds warn

Vulnerabilities were found in three versions of its wireless syringe infusion pumps and will issue a resolution in January 2018 with the release of a new model.
By Jessica Davis
September 12, 2017
03:09 PM

The U.S. Department of Homeland Security issued a warning about serious flaws found in Smiths Medical Medfusion 4000 wireless syringe infusion pumps that could potentially be hacked by cybercriminals and alter the devices’ performance.

DHS identified eight vulnerabilities in three versions of the device, which deliver small doses of medicine in healthcare facilities, both globally and in the U.S. The agency cited issues with a third-party component, which can cause a buffer overflow and allow a cybercriminal to execute dangerous code.

[Also: Old legacy devices pose greatest security risk, experts say]

Another third-party component reads memory out of bounds, which crashes the communication module. Officials from Smiths Medical said the communications module crashing wouldn’t impact the operation of the device.

The other six vulnerabilities stem from hard-coded passwords and credentials, authentication gaps and certificate validation issues that could give hackers access to the devices. These could also be leveraged to gain access to healthcare IT systems if the devices aren’t segmented from the main network.

[Also: FDA to patients with St. Jude pacemakers: Update needed to keep hackers out of devices]

Officials from Smiths Medical said that while there’s a potential for these flaws to be exploited, it would be unlikely in a clinical setting as the flaws “require a complex and unlikely series of conditions.”

Further, these vulnerabilities would require a hacker with a high skill level. ICS-CERT officials said there have been no publicly known exploits targeting the flaws. DHS and Smiths Medical have been working closely together to resolve these issues, along with the FDA Center for Devices and Radiological Health.

But the company won’t resolve the flaws until it releases Medfusion 4000 v1.61 in January 2018.

In the meantime, officials are recommending healthcare organizations apply defensive measures like assigning static IP addresses, monitoring network activity for rogue DNS and DHCP servers, ensuring the devices are segmented from the network, considering network VLNs and applying password hygiene.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents,” DHS officials said.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Medical Devices, Privacy & Security

More regional news

Doctor smiles and waves into a laptop during a telehealth visit

VA plans to end telehealth copays and fund virtual care access in rural areas

By
Andrea Fox
November 14, 2024
HIT professional reviews information on a laptop outside a server room

ASPR seeks feedback on public health orgs' cybersecurity needs

By
Andrea Fox
November 13, 2024
Gabriel Jones of Proprio on AI

Artificial intelligence is enabling big advances in surgery

By
Bill Siwicki
November 13, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Doctor smiles and waves into a laptop during a telehealth visit
VA plans to end telehealth copays and fund virtual care access in rural areas

Most Read

The Light Collective amplifies its call for patient data rights
Atrium Health responds to new social engineering attack
Vendor Notebook: New cybersecurity and EHR performance upgrades 
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
ASTP intros 2024 draft Federal FHIR Action Plan

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health
Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think

More Stories

Bird's eye view of Nashville during the day
Oracle seeks to address health disparities with new collaborative
Marjorie Rosen at HIMSS_Global Health Equity Week 2024
HIMSS chapters offer a powerful channel for healthcare advocacy
Returning service member with daughter
HIMSS launches veterans health IT workforce program
Morgan L. Waller, RN, of Children's Mercy Kansas City on telemedicine
Deep dive: Exploring one of the most advanced telemedicine programs in the U.S.
Person on laptop at kitchen table with another who holds up prescription bottle for telehealth doctor
ATA calls on Congress to beat the telehealth deadline, as it preps for Trump's term
Anurag Mehta at Omega Healthcare_Physician working on laptop Photo by Dzonsli/E+/Getty Images
Clinician burnout can be reduced by virtual nursing
Healthcare worker and patient watching doctor on screen
Discover the potential ROI of bedside telehealth
HKUST Provost professor Guo Yike presenting their new health LLMs
Hong Kong university to test four genAI models in...