The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory for several Beckton, Dickson and Company (BD) systems and software packages on October 26th. BD has discovered numerous vulnerabilities with low attack complexity in some of its healthcare devices and management software.
Healthcare devices and software are designed to help medical professionals monitor their patient’s medical status and medication levels, as well as support other forms of treatment. Still, sometimes they come with problems of their own. This is the case with several of BD’s management software applications and devices, as reported by BD and CISA.
The devices affected are called Alaris Point-of-Care Units (PCUs), and they are used to control various pumps and monitors for the infusion of medications into the bloodstream of a patient. PCUs can transmit data to a medical provider’s computing devices and alarm systems so that the staff and doctor can monitor several patients from one or more monitors seamlessly.
The hardware processes for the system are run by industrial control system code, which, just like computers, can have errors that allow vulnerabilities. For the PCU, the code for model 8015 up to and including version 12.1.3 has three of these vulnerabilities:
- Insecure communications from the unit to external modules is not in a secure format, thus allowing a person with the right connector and physical access to the devices to read and modify the data stream potentially.
- Authentication can be bypassed using a physical connection to the device, which means the device’s configuration can be changed in an unauthorized manner.
- The update software for the unit (called firmware) is not properly signed, meaning that it can be changed.
Vulnerabilities in other software packages for the management or reporting of the state of various systems were also disclosed. The packages affected are:
- Alaris Guardrails Editor (v12.1.2 and before)
- Alaris Systems Manager (v12.3 and before)
- CQI (Continuous Quality Improvement) Reporter (v10.17)
Each of the above systems is a part of the overall technology support required to monitor the continued health and medical state of a patient, which can pose a severe problem when they do not work as intended or are maliciously changed to operate outside their expected parameters. For instance, a connected infusion pump metering analgesics could be forced to up the dose, potentially causing fatal consequences.
The vulnerabilities reported were:
- A dataset file that is not tamper-protected that can be transmitted to PCUs.
- Cross-site scripting (XSS) vulnerabilities that stem from improperly neutralized input data. This means the data can contain bad information or even malicious device code and can be used to further compromise other systems and services.
- XSS in a malicious file can be uploaded into an import function to hijack a user session.
- XSS due to a lack of input validation during a device import.
- Cleartext transmission of sensitive data – insecure connection protocols and code, exposing infusion data.
- Apache Log4Net with an outdated software version means that a malicious actor could execute commands without authorization to control devices and input/output.
How will this Affect You?
If you are a healthcare provider or staff member, you likely use numerous devices and bits of software from multiple vendors, so it is essential to be sure what you have is up-to-date and safe for your patients. The potential for harm to your patients is not something you wish to allow to continue to exist.
A malicious actor can and will take advantage of any vulnerabilities left open to exploitation if given the opportunity. But a simple error in a request for information could also be a problem.
Errors in a healthcare setting can cause adverse drug reactions or even a fatality. While you are required to carry insurance to protect against lawsuits or fines, you still will lose some of your good reputation and the faith of your clients in a situation where a lack of attention to your sensor and device maintenance could have been avoided.
What should you do?
Start with checking any systems you have in your technology suite that are from BD to ensure that the most up-to-date software and firmware are installed. Check all of your equipment, sensors, computing devices, and peripherals. A good technology hygiene process will only benefit you by avoiding most or all of the potential problems that could arise.
It may also be a good idea to train staff to recognize problems or misconfigurations in these devices or software. The training may require you to bring in someone from the manufacturers, so be prepared to take the time to create a relationship with them to foster this type of effort.
If you find equipment or software that is out of date, please get it updated as quickly as possible. If there are no updates available, then you may need to investigate getting replacements that do not have the vulnerabilities and are still being updated regularly by the manufacturer.
- Enhanced Device and Software Security Protocols: Prioritize updating all healthcare devices and management software to the latest versions to address known vulnerabilities, as advised by the CISA and BD alerts, ensuring the safety and confidentiality of patient information.
- Regular Firmware and Software Updates: Implement a strict schedule for checking and updating the firmware of all medical devices, like Alaris PCUs, to protect against unauthorized access and to ensure the integrity of medication dosages administered to patients.
- Targeted Employee Cybersecurity Training: Provide specialized training for healthcare staff to recognize and correctly respond to security warnings and potential device misconfigurations, reducing the risk of compromised patient care due to device tampering or malfunction.
- Vigilant Network Monitoring: Establish continuous network monitoring to swiftly detect and mitigate any unauthorized attempts to exploit device vulnerabilities, ensuring all connected healthcare systems function securely and reliably.
- Healthcare Technology Hygiene: Advise on the development of a comprehensive Healthcare Device and Software Maintenance Plan, which includes regular reviews and updates as part of the facility’s standard operational procedures to prevent and reduce cybersecurity risks.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!