Infusion pumps being sold on secondary markets like eBay were found to still carry troves of sensitive information about the hospitals that once owned them, researchers have found.
Rapid7 principal security researcher Deral Heiland and several others examined 13 infusion pump device brands, like Alaris, Baxter and Hospira, finding access credentials and authentication data for their previous owners. The machines are crucial devices which sit next to hospital beds and transmit fluids, medication or nutrients into a patient’s circulatory system.
The examination sheds light on a persistent problem within the medical device field: the critical stored data left on infusion pump devices that is not properly purged prior to de-acquisition. The devices are often sold on secondary markets when hospitals upgrade them or replace them with newer models.
Eight of the 13 examined devices held sensitive information — which Heiland said was evidence that some had indeed been properly purged of data before being sold on sites like eBay.
The information left on most of the devices would offer someone WiFi passwords that had a high probability of still being valid at medical organizations in the U.S.
“Defining restrictions on what can or cannot be sold online becomes difficult. How would the market — Ebay, for example — police that to identify whether devices have or have not been purged?” Heiland told Recorded Future News.
“In this case, I believe the responsibility lies with both parties. First, embedded medical technology vendors should provide a simple and well-documented method for purging the devices prior to their decommissioning and transfer. Second, medical organizations that leverage these technologies should implement processes and procedures (cradle to grave) that ensure the devices are properly purged of data prior to being decommissioned and sold or transferred to another party.”
Infusion pumps have long been a source of concern for cybersecurity experts and vendors who have spent more than a decade trying to improve their security. The FBI warned in September that vulnerabilities in the devices are leaving a door open for cyberattacks.
Shawn Surber, senior director and healthcare strategist at cybersecurity firm Tanium, said healthcare institutions “should be just as disciplined disposing of devices as they are with biological materials.”
“Scenarios like this are all too common, as medical pumps and other peripheral devices are often overlooked as an attack vector,” he said. “The exposure of internal wireless network credentials and keys could easily lead to an attacker gaining internal access to a network and exploiting other vulnerable devices on that network. From there, the attacker could easily distribute malware or ransomware, or silently gather and exfiltrate personal health information [PHI].”
An attack of this kind would require close physical proximity to a target but, Surber said, could be particularly damaging “as the attacker would be able to exfiltrate PHI on their own device, rather than sending through other mechanisms that are more likely to be caught by network security solutions.”
‘A known issue’
Several of the infusion pump manufacturers mentioned in Rapid7’s report did not respond to requests for comment.
A spokesperson for Becton, Dickinson and Company — the company behind the Alaris brand of infusion pumps — said that data present on BD Alaris Systems is “protected by controls present within the system and adherence to industry security best practices regarding access control, identification and authorization, personnel security, and the physical protection of assets.”
The issues documented in the report “have been previously shared with BD customers and are remediated or mitigated through compensating controls in the latest BD Alaris Infusion System,” the spokesperson said.
“Latent data on legacy medical devices that have not been properly decommissioned is a known issue across the industry. BD issued a product security bulletin about BD Alaris System residual data in 2016 to bring attention to this issue and provide customers with recommendations for safeguarding patient data.”
The spokesperson added that the company has introduced additional functionality in recent versions of its software that makes data clearing easier for customers.
It has also published several white papers, disclosures and documents urging customers to clear historical log data before decommissioning the systems or moving the devices between facilities.
The company noted that another healthcare cybersecurity organization they are a member of published a guide this year about how hospitals and healthcare facilities can better manage legacy technology like infusion pumps.
The International Medical Device Regulators Forum is also heavily involved in harmonizing global medical device regulations and challenges like poorly decommissioned devices that are transferred to new facilities, the spokesperson added.
Rapid7 researchers, though, think contractual agreements should be signed governing the process for purging data from devices.
Surber agreed, saying that the responsibility for wiping the devices at the end of their use needs to be explicitly outlined in all agreements between the hospital and the device service provider.
John Gallagher, vice president of internet-of-things (IoT) security company Viakoo Labs, noted that typically IoT medical devices are managed and operated outside of the IT staff of an organization.
“Whether it is cyber hygiene, proper network setup, or as in this case purging and decommissioning devices it is a new skill set to these teams. It should be addressed through better cross-team coordination or training (or some combination thereof),” he said.
“While this example showed network information being divulged it could just as easily be personally identifiable information. The legal and financial implications should drive organizations to ensure they have the right processes in place to avoid this data from being released.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.