Infusion pump-linked workstations contain critical security flaw

The security flaws have left those infusion pumps exposed to hackers who could remotely change the dosage of drugs being administered to patients, or even stop them altogether.

The pumps are used in a wide range of therapies, including fluid therapy, blood transfusions, chemotherapy, dialysis and anesthesia.

CyberMDX discovered the previously undocumented vulnerabilities in the workstations, explaining that the Alaris Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions.

Conducting a counterfeit version of this upgrade can allow bad actors a route to “authenticate” malicious content, according to the CyberMDX announcement, which was backed up by the Department of Homeland Security.

In addition, the web management system requires no credentials and does not allow for the incorporation of credentials, which means anyone knowing the IP address of a targeted workstation could monitor pump statuses and access event logs, and potentially change the gateway’s network configuration or even restart the gateway.