Protecting Wireless Infusion Pump

An External infusion pump, according to Food and Drug Administration (FDA), is a medical device that delivers fluids into a patient’s body in a controlled manner and connects with a pump server to exchange infusion-related information. Patients and Clinicians rely on infusion pump for a safe and accurate administration of fluids and medication. A Wireless infusion pump ecosystem would typically consist of infusion pump(s), pump server serving one or more pumps, wireless access point(s), wireless controller.

Wireless Infusion pump, therefore, like any connected Internet of Medical Things (IoMT), plays a critical role in enhancing patient care.

The Layout

The wireless infusion pump can use various wireless protection protocols such as Wireless Encryption Protocol (WEP), Wi-Fi Protected Access (WPA) to WPA2-Enterprise or PSK when they connect to the hospital wireless network. Hospitals may assign unique SSID for wireless medical devices that is different from other enterprise device access. WLAN deployment can done in different ways, such as Centralized Deployment or Distributed Campus Deployment to Controller less architecture ,and with CAPWAP or GRE tunnel to encrypt the traffic.  

Pump server and Infusion pumps can be on different VLANs . For example, SSID to which a pump connects to, can be assigned a unique VLAN which can be different from that of pump server.

The Actors

There are multiple actors interacting in the above architecture.

  1. Flow of data occurs between infusion pump and pump server to perform the following activities:

    • To remotely manage the pump

    • To modify the drug library and dosage/prescription details

    • To perform software/firmware updates

  2. Infusion pump may also include advanced features like storing private health information (PHI) and may forward patient treatment information to other servers holding EHR data as represented by Clinical Services Server in the above figure.

  3. Wireless Infusion pump and pump servers require access by manufacturers for software and firmware upgrades, patching and maintenance activities, device repair, etc.  Often these remote accesses are using the vendor provided connection mechanisms such as TeamViewer or LogMeIn etc.

The Threats

Like any connected device, Wireless infusion pump face range of threats such as,  

  • Unauthorized access

  • Denial of Service attack

  • Advanced persistent threats (APT)

  • Device misconfiguration

  • Unintentional device misuse

Unauthorized Access

According to recent Verizon study, Healthcare is the only industry where the threat from inside is greater than those from outside. For example, privileged Individuals such as an employee with access to infusion pump can extract, or tamper PHI data or compromise drug delivery, by exploiting the following vulnerabilities:

  • Use of default password or hard-coded credentials (e.g. CVE-2017-12725)

  • Use of unsecured network ports such as Telnet or FTP or debug enabled interfaces (e.g. CVE-2017-12720,CVE-2015-3459)

These targeted attacks does not require much knowledge of the pump or pump server but can cause considerable damage to the pump operation.Pump server and infusion pump can be accessed even in a well segmented network by a privileged employee. Unauthorized remote login using a stolen vendor credential can also compromise an infusion pump in a similar fashion.

For infusion pumps configured to use WPA2-PSK mode, compromised credentials can be used for unauthorized access.

Denial of Service

These attacks primarily operate within the HDO premise and can target both pump server and infusion pump. There are multiple scenarios how Denial of Service attack can occur, but one easy way is to use some kind of Man-in-the-middle setups such as ARP poisoning. For Infusion pumps that does not do host certificate validation (e.g. CVE-2017-12721) or use telnet ports with no authentication (CVE-2015-3459), attacker can simply target pump open ports using a laptop and cause Denial-of-service attacks corrupting its file system or impact is drug delivery system. The attacker can also hijack sessions to steal IDs and possibly gain access to the pump server to cause a broader damage.

Advanced Persistent Threats (APT)

APT is a term used to describe an attack in which attacker establishes a long-term presence on a network. Infusion pump can become the launch points for such APT when a bad actor successfully places a malicious code on the pump, causing adverse situations throughout a hospital’s infrastructure. APTs are difficult to detect and can remain in hidden and in reconnaissance mode for a long time before they get into action. Moreover, these malware often establish additional points of compromise by spreading laterally in the network without getting detected. This stealth mode of behavior makes detection often challenging, and remediation very complex as they may have established multiple points of compromise.   

In many occasions, vulnerabilities such as CVE-2017-12725 often help to place the malicious software on the pump.

Misconfiguration

HDO networks are complex to administer and configure. In such a diverse environment with thousands of connected devices and many of them life-saving, IT administrators are regularly bombarded with myriad of configuration change requests . This increases the chance for network misconfiguration causing the pump to suffer performance degradation , loss of connectivity with the pump server. In another scenario, the clinical engineer may unintentionally open a port on the pump as part of the administrative work, exposing it to threat actors. Moreover, medical devices are often passively exposed to network noises such as multicast or broadcast storms due to switch misconfigurations, which may impact their performance. These user created errors often increase the surface area for attacks.

Unintentional device misuse

This involves scenarios when Infusion pump or pump server’s exposed ports, for example, its Universal Serial Bus [USB] port, is used for extracting data or for recharging mobile phones. Use of these ports for unintended purpose inadvertently may enable malicious code to migrate to the pump or pump server.

Our Recommendations

Hmatix recommends the following best practices to secure the Wireless Infusion Pump ecosystem.

The numbers shown in the above figure refer to the ID in the best practices table below

The numbers shown in the above figure refer to the ID in the best practices table below

Best Practices

ID Best Practice NIST CSF Subcategory Recommendation
1 Create unique SSID for Wireless Infusion Pump to connect to HDO wireless network. Map the SSID to unique VLAN. PR.AC-5: Network Integrity is Protected It is recommended to keep patient and visitor network access separate from the medical device.
2 Segment the network and segregate them to limit the threat exposure to the larger enterprise PR.AC-5: Network Integrity is Protected There are multiple ways to segment the network such as creating VLANs to a combination of VLANs and firewall, termed as zones.
3 Sandbox devices that cannot be patched. PR.PT: Protective Technology Hmatix solution can provide complete sandboxing of Infusion pump and pump server and isolate them from newer threats and vulnerabilities.
4 Limit trust between network segments by controlling what machines and services can communicate between these segregated network segments using identified ports and IP protocol. PR.AC-5: Network Integrity is Protected Hmatix solution provides automated enforcement based on the baseline ensuring only trusted devices can communicate with infusion pump and pump server while blocking unauthorized traffic.
5 Identify protected critical assets in the Wireless Infusion pump ecosystem in detail such as hardware, software, operational status. ID.AM-1,2: Hardware and Software platforms are identified and inventoried. Hmatix solution identifies the endpoints being protected by creating a chain of trust. With its ability to integrate with ITAM tools, provide availability and operational status; IT admin can do a complete security audit.
6 Identify existing actors, flows, vulnerabilities, existing risks and threats and perform Cyber intelligence to understand existing risks within the Wireless Infusion Pump ecosystem. ID.RA-1,2: Risk Assessment Hmatix Solution can perform risk assessment, threat intelligence and identifies open vulnerabilities on infusion pump and pump server.
7 Perform regular integrity checking such as changes to software, firmware, device identity of the Infusion pump and Pump server. PR.DS-6: Integrity Checking Hmatix Solution can perform active and passive scanning of endpoints providing security admin a greater insight into the assets.
8 Create baseline model of network operations, expected data flows between Infusion pump and other network entities. DE.AE: Anomalies and Events Hmatix Solution learns endpoint behavior using autonomous learning and generates a baseline model for every device being protected.
9 Perform continuous monitoring of Infusion pump and Pump Server to detect anomalies outside the baseline. DE.CM: Security Continuous Monitoring Hmatix Solution detects anomalies with low-false positive due to the proximity to the connected device and its device centric baselining.
10 Recommend use of Proxy Server to terminate remote vendor login and then initiate RDP or other agreed mechanisms connect to the Pump server or the Infusion pump. This will help baselining, auditing all the remote access and help detecting any unauthorized access. PR.AC-3: Remote Access is managed Hmatix Solution can automatically identify this actor as a trusted entity while creating the baseline profile.
11 Protect data-in-transit by allowing communications only between trusted machines and applications over allowed ports. PR.DS-2: Data-in-transit is protected Hmatix Solution can block anomalous traffic in real time and only allows communication with trusted entities and over known ports.