Who would have ever thought cyber criminals could possibly break into wireless medical infusion pumps to access a hospital, or a home based wireless network. There hasn’t been any known cases involving this type of exploitation, further it would take a very highly skilled cybercriminal to produce the desired efficacy. Vulnerabilities of wireless medical infusion pumps may put networks, sensitive PHI, and EHR data at risk, potentially allowing nefarious activities by unauthorized actors!
An unauthorized actor gaining access to a wireless infusion pump could potentially cause the wrong amount of dosage or even worst no dosage administered at all, causing possibly lethal consequences! On the opposite side, there have been cases where ethical hackers (grey hats) planned on demonstrating vulnerabilities in wireless heart pacemakers using wireless technologies called personal area network (PAN).
If exploitation were successfully achieved, the wireless infusion pump could be used to pivot to other networked devices or even another wireless infusion pump carrying out internal host discovery, enumeration, port scanning and etc. Wireless medical infusion pumps are vulnerable because of their associated wireless technology, weak authentication, software updates-patching and complex management processes (hands on activity).
First, let’s explore the various types of infusion pumps. There are many types of infusion pumps: external intravenous, subcutaneous, electrical, or mechanical with implementations using syringe pumps, elastomeric infusion pumps, and peristaltic pumps.There are other complex infusion pumps with the ability to deliver fluids using more than one reservoir at different delivery rates.
Medical wireless infusion pumps deliver critical measured dosages, minimizing the inaccuracy of human mistakes. Infusion pumps have sensors to alert if there is an adverse relationship with the patient and the dosage. The measured dosages can be in the form of antibiotics, nutrients, insulin, chemotherapy, high risk medicines, pain relievers and more.
The newer medical infusion pumps called smart pumps are designed with the capability to alert the medical operator or individual home users if the dosage is too light or over the maximum allowed. All very important to human life and health care.
The vulnerabilities of wireless medical infusion pumps (WMIP), are numerous according to NIST published report. Let’s explore accountability. Who is actually responsible for managing, maintaining and controlling wireless infusion pumps?
Does the primary responsibility reside with the nurses, vendors, IT hospital operations, or the doctors? Biomedical engineers, and IT staff have access to the WMIP devices in the form of administrator credentials. Hospital staff members also require access to the display panels to perform duties. Nurses are more likely to access the infusion pumps more often than doctors because of their roles and duties of setting the prescribe medication dosage.
Access to WMIPs isn’t just limited to hospital staff, vendors are responsible for updates, software patches which requires access to the infusion pumps as well. Vendors may access the wireless infusion pumps by way of http, https, telnet, SSH to perform upgrades, patches or routine maintenance. Infusion pump vendors play a role in training staff members on operations, maintenance, configuration specifications and instructions for the infusion pump to operate with third party devices as well. If you are feeling a bit overwhelmed at this point by the number of actors accessing the device, you’re not alone!
We are all too familiar with the untenable usage of weak passwords and using them alone as protection, especially against cyber criminals. The problem with medical operator access to wireless infusion pumps is passwords for infusion pumps are created for all and shared by all in the healthcare facility. Interestingly enough, infusion pumps do not have a lockout on the number of bad tries using passwords. According to the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) Healthcare’s motto is “Failure to success instead of failure to lockout.” Normally biomedical engineers are the ones creating and administering user passwords to medical staff members, but the devices are hard coded with a default vendor password as well.
The pharmacist play in most cases an important role in administering a patient’s prescribed dosage by accessing the healthcare facilities drug library information system database. This information is used by biomedical engineers to configure and update the device for administering medication and is then passed onto nurses who preset prescribed dosages. One of the short comings in that process, after the pharmacist verifies the drug library information list and gives the biomedical engineer the greenlight for approval there is no validation of the information. Encryption of the library data may or may not be used and no check sum verification process is used for validating the library information against tampering or alteration of drug dosages configured for the infusion pumps.
Asset management of the wireless infusion pumps should follow the life cycle processes set forth in the FDA’s guide on “Infusion Pumps Total Life Cycle Guide”. Infusion Pump life cycles involves: 1.Procurement 2.Asset Onboarding, 3.Usage Instructions & Training, 4.Configurations, 5.Maintenance, 6.Actual Usage, 7.Decontamination, 8.Decommission.
Two groups typically performs management of infusion pumps,
- IT staff members, track the system, software and versions
- Biomedical engineers, perform maintenance, track battery usage, cleaning, etc.
Both groups use a form of database management for entering and tracking information. IT professionals use configuration management databases while biomedical engineers may use computerized maintenance database systems. Often times, challenges are difficult keeping both management systems synchronized for proper data correlation and monitoring.
Another problem with wireless infusion pumps is frequency of software and patch updates. Public outcries of past reliability and performance issues with infusion pumps caused FDA to mandate changes in how medical devices are marketed to the healthcare industry using Premarket 510(k) submission.
Infusion pump manufacturers have to submit approval to the FDA prior to any new infusion pumps introduced into the healthcare market, or changes; even though the FDA has stated it’s not necessary under its Premarket 510(k) submission to go through recertification for software updates, and has laid out the certification processes [see pages 33 -35 in Premarket 510(k) guide]. In addition, manufacturers of infusion pumps are apprehensive to upgrade infusion pumps without post upgrade testing of the devices. The reasons are cost and the internal processes are unmodifiable. There isn’t a streamline process even for minor updates. Changes would entail the manufacturers going through the whole testing life cycle process suite.
On the IT side of issues, running traditional scanning technologies can cause adverse effects to wireless infusion pumps. IT staff have to manage tracking the devices and monitoring for malware infection. Another challenge, the devices are often hard coded with an unchangeable user name and password for healthcare facility usage and vendor maintenance. Since the devices are managed outside of IT staffs normal asset management realm, some wireless infusion pumps are often stored in closets and pulled out for usage by medical operators. This closet storing procedure can cause problems by introducing vulnerabilities because of missed scheduled maintenance, cleaning and critical updates.
WMIP issues are not limited to accessibility nor storage procedures but also involves wireless channels, wireless device saturation, frequency ranges, and alienation from the Wi-Fi alliance. Other factors include low radio performance and interference from other wireless devices. These issues may affect confidentiality, integrity and availability (CIA), the very tenet of IT and cyber security experts.
According to NIST& NCCoE published report, infusion pump functionality cannot be dependent on wireless connectivity. “This is an example of operational functionality versus health care”.
In closing thoughts, wireless medical infusion pumps should operate regardless of its ability to connect to the network. Lives are more important than convenience or functionality! The ability to infuse drugs in a patient should be more important than the benefit of connecting to a wireless network. The U.S. Food and Drug Administration, the American Hospital Association urged the government to “Hold device manufacturers accountable for cybersecurity”. The action of holding vendors accountable especially for poor security development lifecycle (SDL) processes would definitely put them at proximate causation!