Becton, Dickinson and Company (BD) has uncovered eight potential ways that certain versions of its Alaris infusion pump systems could be hacked, with one rated as high-severity.

The company found the eight vulnerabilities during routine internal security testing and says they affect versions 12.1.3 and earlier with Guardrails Suite MX software, designed to measure system performance and reduce medication errors. It has voluntarily alerted the FDA and customers and has received no reports of any of these issues being exploited.

The high-severity flaw, which received an 8.2 on the 10-point Common Vulnerability Scoring System could enable an attacker to potentially upload a malicious file into the user import functionality to gain access to the healthcare facility’s confidential information.

The hacker would require network access, but if they had it and faced no other security blocks, “the complexity of exploiting this vulnerability is low,” said BD in the warning bulletin it released.

The other seven security risks range in scores from 3.0 to 6.9. The 6.9 risk could allow hackers to breach other components of the device, but would require an authorized user to complete certain steps to make the attack feasible. Additionally, the solution has control measures that reduce the probability of harm with any of the eight.

“If exploited, two of the vulnerabilities present no impact to patient safety, and six present remote or improbable potential impact. The potential for harm can only occur if the vulnerability is exploited,” said the company.

Earlier this year, BD found a separate security risk within specific versions of the Alaris Infusion Central software, which is installed on hospital computers to monitor infusion pump data transmission, that allowed for passwords used for database installations to be easily recovered, enabling hackers to access personal information that hospitals may store in the databases. It contacted all affected customers and updated installation instructions to prevent this.

It also issued Class I recalls of certain Alaris Pump Modules Model 8100 and certain model codes and lot numbers of the Alaris Pump Infusion Sets used with the pump in 2019.

The company is currently working on a plan to address the present issues.

It recommends that affected users employ network perimeter security measures (firewalls, access control lists); restrict external access; require authentication passwords; use MAC filtering; monitor Wi-Fi network credentials; adhere to industry security standards; and periodically inspect BD Alaris System components for signs of tampering and to ensure the most up-to-date software version is being used.

Back to HCB News

Health IT Homepage