BD, a global medical technology company, recently posted a cybersecurity bulletin alerting healthcare providers about a potential hacking risk found in software used to monitor some of their infusion pumps.
The vulnerability specifically affects BD’s Alaris Infusion Central software, which is installed on hospital computers and linked to Alaris Plus and Alaris nexus pumps. The software allows clinicians to monitor data sent from the devices, which are used to control the delivery of medications, nutrients, and other fluids to patients via IV.
According to BD, the vulnerability stems from the fact that in certain versions of the software, the password used for database installation can be recovered easily, potentially allowing hackers access to personal information stored in the system. While the Alaris Infusion Central database itself does not store patient health data, hospitals using the software may choose to store other personal information in the database.
This information could be accessed and tampered with by a hacker who can recover the system password. BD has already notified relevant authorities, including the FDA and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), about the potential threat.The company has assigned the hacking risk a score of 7.3 out of 10 on the Common Vulnerability Scoring System, which denotes a “high” severity.
Although the software flaw did not reach the “critical” risk threshold, it could still potentially result in a “high impact to confidentiality and integrity” and “partial impact to availability of data,” according to BD.
However, the company’s own assessments indicate that there is a low probability of harm occurring, especially because the software is only used to track infusion pump data and cannot be used to alter the settings of connected devices.
Despite this, BD is in the process of contacting all affected healthcare providers to “initiate remediation.” In the meantime, those using the software should regularly change their database passwords and ensure that only authorized users have access to the server. This vulnerability comes after BD published another cybersecurity bulletin in December 2021 about the possibility that several models of its BodyGuard infusion pumps could be broken into, but only by hackers with physical access to the pumps.
That vulnerability was given a “medium”-severity Common Vulnerability Scoring System score of 5.3. It is worth noting that while this vulnerability relates only to the software used to monitor infusion pumps, the pumps themselves are particularly vulnerable to other attacks.
A study published in 2021 found that up to 75% of the devices could be at risk of being hacked, potentially allowing malicious actors to access the pumps’ data and even reconfigure their settings. As such, healthcare providers should remain vigilant and take appropriate measures to secure their medical devices and associated software systems.
In conclusion, while the risk of harm from this particular vulnerability is low, it highlights the need for continued vigilance and proactive measures to ensure the security of medical technology and associated software systems. Healthcare providers should regularly review and update their cybersecurity protocols to mitigate the risks posed by potential vulnerabilities.
