Medical infusion-pump system has two serious bugs, researchers say

The Alaris Gateway Workstation can be "bricked" by one attack, and another would allow hackers to reconfigure it or monitor what it does, researchers with CyberMDX say.
Alaris Gateway Workstation
A detail of an Alaris Gateway Workstation.

Researchers have found two vulnerabilities in a type of infusion-pump system, which hospitals used to administer medication, that they say could allow a hacker to disable the device, infect it with malware, or create false readings.

The vulnerabilities are in a pump system known as the Alaris Gateway Workstation made by Becton, Dickinson and Company (BD), a New Jersey-based medical equipment vendor.

“In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates,” researchers from CyberMDX, a medical-device security company that found the flaws, said in a press release Thursday.

The more severe vulnerability is in the workstation’s firmware and could allow an attacker to “brick” the workstation, rendering it useless unless it is returned to the manufacturer for repair. The other vulnerability could let a hacker alter the workstation’s network configuration and monitor the pump’s status. Firmware updates issued by the company fix the bugs.


BD spokesman Troy Kirkpatrick said the workstation is not used in the U.S., and that the vulnerabilities do not apply to a majority of BD infusion systems. Asked how widely used the product is outside of the U.S., Kirkpatrick said the company doesn’t disclose installation figures for competitive reasons.

The company has a “voluntary, proactive vulnerability disclosure process to ensure our customers are aware of any potential vulnerabilities and the compensating controls to mitigate them,” Kirkpatrick said in an email to CyberScoop. He said an attacker would need access to a hospital network and intimate knowledge of the product to manipulate a pump’s safety parameters.

The Department of Homeland Security’s industrial control system unit issued an advisory that advised organizations on mitigating risk stemming from the vulnerabilities.

“The onus for medical device security lies across all stakeholders — the device manufacturers, healthcare providers, and technology companies — and CyberMDX’s cybersecurity research team is committed to working with all these parties to make hospitals safer and medical equipment more reliable,” Elad Luz, CyberMDX’s head of research, said in a statement.

Patching vulnerable software and hardware has been a challenge for the health care industry, where outdated equipment often lingers for years.


Stephanie Domas, vice president of R&D at healthcare cybersecurity company MedSec, said the vulnerabilities disclosed by CyberMDX are a “picture book representation of two of the biggest struggles in the medical device security space: legacy devices, and devices not running the latest software release.”

“Hospitals struggle to keep medical devices up to date, due to the sheer number of them, and the multitude of unique update procedures,” Domas told CyberScoop.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts