The U.S. Department of Homeland Security issued a warning about serious flaws found in Smiths Medical Medfusion 4000 wireless syringe infusion pumps that could potentially be hacked by cybercriminals and alter the devices’ performance.

DHS identified eight vulnerabilities in three versions of the device, which deliver small doses of medicine in healthcare facilities, both globally and in the U.S. The agency cited issues with a third-party component, which can cause a buffer overflow and allow a cybercriminal to execute dangerous code.

[Also: Old legacy devices pose greatest security risk, experts say]

Another third-party component reads memory out of bounds, which crashes the communication module. Officials from Smiths Medical said the communications module crashing wouldn’t impact the operation of the device.

The other six vulnerabilities stem from hard-coded passwords and credentials, authentication gaps and certificate validation issues that could give hackers access to the devices. These could also be leveraged to gain access to healthcare IT systems if the devices aren’t segmented from the main network.

[Also: FDA to patients with St. Jude pacemakers: Update needed to keep hackers out of devices]

Officials from Smiths Medical said that while there’s a potential for these flaws to be exploited, it would be unlikely in a clinical setting as the flaws “require a complex and unlikely series of conditions.”

Further, these vulnerabilities would require a hacker with a high skill level. ICS-CERT officials said there have been no publicly known exploits targeting the flaws. DHS and Smiths Medical have been working closely together to resolve these issues, along with the FDA Center for Devices and Radiological Health.

But the company won’t resolve the flaws until it releases Medfusion 4000 v1.61 in January 2018.

In the meantime, officials are recommending healthcare organizations apply defensive measures like assigning static IP addresses, monitoring network activity for rogue DNS and DHCP servers, ensuring the devices are segmented from the network, considering network VLNs and applying password hygiene.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents,” DHS officials said.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com