McAfee security researchers on Tuesday said they had found multiple vulnerabilities in infusion pump software that, under certain conditions, a skilled hacker could use to alter a patient’s medication dose to a potentially unsafe level.
The vulnerabilities are in equipment made by multinational vendor B. Braun that are used in pediatric and adult health care facilities in the United States.
While there are no reports of malicious exploitation of the flaws, the research illustrates the challenge of securing devices conceived decades ago from 21st-century digital threats. The findings come as the health care sector reckons with a series of ransomware attacks that hit aging hospital computer networks during the pandemic.
Medical devices “remain vulnerable to legacy issues that have persisted for many years and have exceptionally slow update or upgrade cycles,” said Steve Povolny, who heads the Advanced Threat Research team at McAfee.
In a statement, B. Braun said the firm disclosed the vulnerabilities to customers and the Health Information Sharing and Analysis Center in May, and that the vulnerabilities affect “a small number of devices utilizing older versions of B. Braun software.” The firm did not provide an estimate of the number of devices affected.
“We strongly disagree with McAfee’s characterization in its post that this is a ‘realistic scenario’ in which patient safety is at risk,” the B. Braun statement continues. “We have a robust vulnerability disclosure program and when vulnerabilities are discovered, our goal is to mitigate potential risks as quickly as possible.”
The research comes with caveats: The attack scenario requi ..
Support the originator by clicking the read the rest link below.
