A medical workstation that is used by an array of medical facilities, including the NHS, is at risk of being remotely controlled by threat actors.
New York-based Cyber security researchers CyberMDX discovered a critical vulnerability within the Alaris Gateway Workstation, an infusion pump used in many medical centres.
This type of medical pump controls the injection of intravenous fluids and medications such as morphine or insulin. They are often connected to a medical monitoring hub where staff can oversee numerous machines and patients at once.
CyberMDX have discovered that a hacker can gain access to the pump and could potentially interfere with specific aspects of the device, including controlling the rate at which drugs are infused to a patient.
The vulnerability was discovered by CyberMDX’s Head of Research, Elad Luz who wrote in a security blog that: “An attacker can execute a counterfeit firmware upgrade without any predicate authentication or permissions. Malicious files can then be transferred via the update and copied straight to the internal memory — overriding existing files.”
“An attack of this sort can allow an attacker to disable the workstation, disrupt the flow of electricity to care-critical infusion pumps, falsify pump status information (vital for the nursing staff), and in some cases even alter drug delivery.”
A patch has been issued by the device’s manufacturer and all medical centres using the station are strongly advised to update its software.
Medical Centres At Risk
In its CVE report CyberMDX note that the vulnerability can cause other issues with the Alaris Gateway workstation such as:
- Machine bricking. The machine will need to get back to the factory for a repair, restarting won’t help.
- Planting a malicious agent as a base for network attack.
- Reporting false status from the pumps.
- In the event that the pumps connected to the gateway are among the AlarisTM GS, AlarisTM GH, AlarisTM CC, and AlarisTM TIVA models, an attacker can communicate directly with the device to (remotely) alter the infusion rate as well as start and stop commands, etc.
Matt Aldridge, Senior Solutions Architect at Webroot commented to Computer Business Review that: “The healthcare industry remains a prime target for attackers, due to the wealth of data it holds. But advances in technology means that hospitals have a growing array of connected devices, creating a large attack surface, prime for infiltrating.”
“These devices are everywhere from the back office, in medical facilities, and even inside patients. This ultimately means a cyberattack could cause catastrophic disruption to patient care and wellbeing. The disjointed and fragmented nature of the industry means it often lags behind other sectors in the race to defy attackers who can exploit historic weaknesses.”
“Every device on a hospital network must be covered by stringent patch management policies and processes, and suppliers must be kept in check to ensure that updates are released regularly and on time when vulnerabilities are found. Vendors should also make it easy and cost effective for updates to be applied. Most importantly, they need to ensure that their product update procedures are highly secure to avoid malicious control software being installed on an otherwise safe device.”