As reported by the U.K.’s Daily Mail, smart syringes, which are wireless-controlled devices used to administer medications through IVs, are now subject to hacking and, thus, have become a danger to patients.
The U.S. Department of Homeland Security says it has found a vulnerability in an automatic syringe infusion pump that doctors, nurses, and medical staff utilize to administer medications and anesthesia in the hospital setting.
In an advisory, the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said the there was a security flaw in one device called the Medfusion 4000 that would give hackers control over it, meaning they could ‘instruct’ the syringe to either withhold or speed up the delivery of medication. Either of those scenarios could lead to death.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump,” notes the warning. “Despite the segmented region, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”
Scott Gayou, a cyber security researcher, discovered at least eight vulnerabilities in the syringe, which is made by Smiths Medical. The company has said it plans to fix the flaws and will release a new version of its product next year. However, until then, DHS is warning hospitals to be on the lookout for any cyber tampering. (Related: Apple hopes to use ‘big brother’ software to change medicine.)
“An attacker with high skill would be able to exploit these vulnerabilities,” said the DHS warning. “Successful exploitation of these vulnerabilities may allow a remote attacker to spoof or disrupt Transmission Control Protocol (TCP) connections, sniff sensitive account information, and gain unauthorized access to a current web session.”
Cyber security researchers say that six of the eight vulnerabilities pertain to issues involving authentication, hard-coded credentials, and certificate validation issues, any of which would allow a hacker to gain access to the device. Two others involve third-party elements, one of which would give a hacker “remote code execution” of the machine.
Medfusion 4000 units are in common use for critical care, neonatal, and pediatric patients. In each patient, medical dosing is crucial but that is especially true for newborns because even the slightest error can be fatal.
The devices were developed as replacements for manual dosing, and are said to be a much safer, surer way to deliver medications intravenously.
Smiths Medical, which is a British firm, released a statement outlining the security flaws.
“The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions,” the company’s chief technology officer, Brett Landrum, wrote in a letter addressed to, “Dear Valued Customer. “I sincerely apologize for this inconvenience.”