Manufacturer of Medfusion 4000 drug pumps, Smiths Medical, has confirmed their medical devices are vulnerable to cyberattacks and could be hacked into remotely.
Hackers may be able to take control of the device and stop it from working, therefore preventing lifesaving drugs being administered to patients.
The manufacturer supplies its drug pumps to hospitals across the globe. It is not known how many of these devices are in use here in the U.K.
About the devices
Regulators have issued a warning that three models of the drug pumps are affected by the flaw that could leave it vulnerable to hacking. Hackers may therefore be able to remotely take control of the medical device and control how much or how little it dispenses vital drugs.
The electronic devices are supposed to prevent medical errors, allowing doctors and physicians to administer accurate doses of medication more effectively. Vice President of the company’s global product management department, Tommy Johns, praised the reliability of the drug pumps as being “recognised for its accurate medication delivery [to] patients in critical care units, including neonatal and paediatric intensive care”.
With the vulnerable nature of intensive care patients, a small error in the amount of medicine received or the speed of administration could cause serious harm, or even be fatal.
Flaw found by security researcher
The flaw was found by an independent security researcher called Scott Gayou. The company revealed that Gayou purchased one of the devices second-hand and dedicated hundreds of hours in searching for vulnerabilities. Once he managed to hack into the device, he immediately notified the company of his findings so the company could find a way to immediately patch up the vulnerability.
What’s being done about it?
Smiths Medical have been working with various authorities to resolve the vulnerability. New software reportedly won’t be ready until January 2018, so in the meantime, customers are being warned to systematically check and safeguard the devices to ensure the device continues to deliver accurate doses of medicine as necessary.
Warnings to customers
“Please, if you are from a clinic that uses these devices, follow the manufacturer’s recommendations to update the devices. That will drastically reduce your risk”, engineer Todd Carpenter wrote in an email; “Monitor all your manufacturer updates, and keep your devices patched. Whilst this is an expensive part of your operation, it is definitely important.”
Chief technology officer of the company Brett Landrum apologised on behalf of Smiths Medical, but noted it’s “highly unlikely” that anyone will successfully hack into the devices. Another spokeswomen for the company confirmed there have been no reports of any malicious hacking attempts.
Naturally, regulators recognise the increasing trend in vulnerabilities in electronic medical devices that can leave them open for hacking. Thousands of medical devices could reportedly be hacked into, including glucose monitors, insulin pumps, infusion pumps and pacemakers. In fact, a DefCon hacking conference was held earlier in August where security researchers uncovered flaws in hundreds of biomedical devices that left them vulnerable to hacking.