Protecting Wireless Infusion Pumps

cyber23.jpg

A Wireless infusion pump ecosystem would typically consist of infusion pumps, pump server, wireless access points, wireless controller. Wireless Infusion pump, like any connected Internet of Medical Things (IoMT), plays a critical role in enhancing patient care.

The Layout

The wireless infusion pump can use various wireless protection protocols such as Wireless Encryption Protocol (WEP), Wi-Fi Protected Access (WPA) to WPA2-Enterprise or PSK when they connect to the hospital wireless network. Hospitals assign unique SSID for wireless medical devices that is different from other enterprise device access. WLAN deployment can be done in different ways, such as Centralized Deployment or Distributed Campus Deployment to Controller less architecture, and with CAPWAP or GRE tunnel to encrypt the traffic.

Pump server and Infusion pumps can be on different VLANs. For example, SSID to which a pump connects to, can be assigned a unique VLAN which can be different from that of pump server.

The Threats

Like any connected device, wireless infusion pumps face range of threats such as,  

  • Unauthorized access

  • Denial of Service attack

  • Advanced Persistent Threats (APT)

  • Device misconfiguration

  • Unintentional device misuse

  • Unauthorized Access

According to recent Verizon study, Healthcare is the only industry where the threat from inside is greater than those from outside. For example, privileged Individuals such as an employee with access to infusion pump can extract, or tamper PHI data or compromise drug delivery, by exploiting it’s vulnerabilities.

These targeted attacks does not require a lot of knowledge of the pump or pump server but can cause considerable damage to the pump operation. Pump server and infusion pump can be accessed even in a well segmented network by a privileged employee. Unauthorized remote login using a stolen vendor credential can also compromise an infusion pump in a similar fashion.

For infusion pumps configured to use WPA2-PSK mode, compromised credentials can be used for unauthorized access.

Denial of Service

These attacks primarily operate within the HDO premise and can target both pump server and infusion pump. For Infusion pumps that does not do host certificate validation or use telnet ports with no authentication, attacker can simply target pump open ports using a laptop and cause Denial-of-service attacks corrupting its file system or impact its drug delivery system. The attacker can also hijack sessions to steal IDs and possibly gain access to the pump server to cause a broader damage.

Advanced Persistent Threats (APT)

APT is a term used to describe an attack in which attacker establishes a long-term presence on a network. Infusion pump can become the launch points for such APT when a bad actor successfully places a malicious code on the pump, causing adverse situations throughout a hospital’s infrastructure. APTs are difficult to detect and can remain in hidden and in reconnaissance mode for a long time before they get into action. Moreover, these malware often establish additional points of compromise by spreading laterally in the network without getting detected. This stealth mode of behavior makes detection often challenging, and remediation very complex as they may have established multiple points of compromise.

Misconfiguration

HDO networks are complex to administer and configure. In such a diverse environment with thousands of connected devices and many of them life-saving, IT administrators are regularly bombarded with myriad of configuration change requests. This increases the chance for network misconfiguration causing the pump to suffer performance degradation and loss of connectivity with the pump server. Medical devices are often passively exposed to network noises such as multicast or broadcast storms due to switch misconfigurations, which may impact their performance. These user created errors often increase the surface area for attacks.

Unintentional device misuse

This involves scenarios when Infusion pump or pump server’s exposed ports, for example, its Universal Serial Bus [USB] port, is used for extracting data or for recharging mobile phones. Use of these ports for unintended purpose inadvertently may enable malicious code to migrate to the pump or pump server.

Best Practices

Hmatix recommends the following best practices to secure the Wireless Infusion Pump ecosystem.

ID Best Practice NIST CSF Subcategory Recommendation
1 Create unique SSID for Wireless Infusion Pump to connect to HDO wireless networkand map the SSID to unique VLAN PR.AC-5: Network integrity is protected It is recommended to keep patient and visitor network access separate from the medical device
2 Segment the network and segregate them to limit the threat exposure to the larger enterprise PR.AC-5: Network integrity is protected There are multiple ways to segment the network such as creating VLANs to a combination of VLANs and firewall, termed as zones
3 Sandbox devices that cannot be patched PR.PT: Protective technology Hmatix solution can provide complete sandboxing of Infusion pump and pump server and isolate them from newer threats and vulnerabilities
4 Limit trust between network segments by controlling what machines and services can communicate between these segregated network segments using identified ports and IP protocol. PR.AC-5: Network integrity is protected Hmatix solution provides automated enforcement based on the baseline ensuring only trusted devices can communicate with infusion pump and pump server while blocking unauthorized traffic
5 Identify protected critical assets in the Wireless Infusion pump ecosystem in detail such as hardware, software, operational status ID.AM-1,2: Hardware and Software platforms are identified and inventoried Hmatix solution identifies the endpoints being protected by creating a chain of trust. With its ability to integrate with ITAM tools, provide availability and operational status; the IT admin can do a complete security audit.
6 Identify existing actors, flows, vulnerabilities, existing risks and threats and perform Cyber intelligence to understand existing risks within the Wireless Infusion Pump ecosystem ID.RA-1,2: Risk Assessment Hmatix Solution can perform risk assessment, threat intelligence and identifies open vulnerabilities on infusion pump and pump server.
7 Perform regular integrity checking such as changes to software, firmware, device identity of the Infusion pump and Pump server PR.DS-6: Integrity Checking Hmatix Solution can perform active and passive scanning of endpoints providing security admin a greater insight into the assets
8 Create baseline model of network operations, expected data flows between Infusion pump and other network entities DE.AE: Anomalies and Events Hmatix Solution learns endpoint behavior using autonomous learning and generates a baseline model for every device being protected
9 Perform continuous monitoring of Infusion pump and Pump Server to detect anomalies outside the baseline DE.CM: Security Continuous Monitoring Hmatix Solution detects anomalies with low-false positive due to the proximity to the connected device and its device centric baselining
10 Recommend use of Proxy Server to terminate remote vendor login and then initiate RDP or other agreed mechanisms connect to the Pump server or the Infusion pump PR.AC-3: Remote Access is managed Hmatix Solution can automatically identify this actor as a trusted entity while creating the baseline profile
11 Protect data-in-transit by allowing communications only between trusted machines and applications over allowed ports PR.DS-2: Data-in-transit is protected Hmatix Solution can block anomalous traffic in real time and only allows communication with trusted entities and over known ports
hmatix-recommended-layout.png