Critical security flaws have been discovered in two widely-used medical devices, according to a disclosure by the IT consulting firm CyberMDX. Working closely with the device manufacturers, CyberMDX found vulnerabilities in certain versions of the BD Alaris TIVA syringe pump as well as the Datacaptor Terminal Server. The deficiencies were made public pursuant to a new disclosure policy initiated by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”).
According to ICS-CERT filings, a malicious attacker with even a “low skill level” cangain access to the Alaris TIVA syringe pump. Provided the hacker has access to the hospital’s device server, they would be able to start or stop the pump and make unauthorised changes to its rate of infusion, allwithoutneeding to know the pump’s IP addresses or its location within the hospital. Critically, the device would not require the hacker to authenticate his or her access credentials – a serious security flaw.
Similarly, the ICS-CERT filings also revealed a “critical” vulnerability in the Datacaptor Terminal Server system, a networking device used to connect medical devices within a hospital’s computer network. This device is generally used to connect bedside devices such as monitors, respirators, anesthesia machines, and infusion pumps within a hospital’s internal network. However, device preferences and settings are accessed and managed via a public website. It was discovered that the web management interface was vulnerable to the so-called “Misfortune Cookie” hack, in which a specially prepared internet cookie is loaded through the web interface without any need for user authentication. This Misfortune Cookie then writes malicious code onto the Datacaptor’s memory, which can be used to gain administrator-level access to the underlying system. The hacker could then crash the device or interrupt the functioning of the various machines connected to it.
The vulnerabilities disclosed by CyberMDX are not the first major security flaws to be discovered in medical devices. Recent years have seen a sharp rise in the number of networked medical devices, from cardiac monitors to glucometers. As more devices are connected to the internet, more access points are opened for hackers to exploit. Researchers say these implications should be taken seriously. In March 2018, a report from Britain’s Royal Academy of Engineering noted that“Cyberattacks on connected health devices are of increasing concern as they could have severe consequences on patient safety. Ever greater numbers of health devices have been identified as being potentially at risk, including pacemakers and MRI scanners.”
Currently, the potential implications of security vulnerabilities in medical devices are more frightening than the reality – to date there have been no recorded cases of hackers using a compromised medical device for criminal purposes. They have come close, however, as seen in the 2017 WannaCry cyber-attack, which affected 16 public and private health organisations around the world.In the United Kingdom, computers in hospitals and local doctor’s offices were struck with a “ransomware” hack, which threatened to wipe all data, including patient records, from a computer unless the victim agreed to pay between $300and $600 in Bitcoin to the hackers. The attacks led to the cancellation of as many as 19,000 doctor’s appointments, with patients in affected areas advised to seek medical care only in emergencies.
