- Aug 17, 2014
Data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are running with known security issues that attackers could exploit. The findings reveal that tens of thousands of devices are vulnerable to six critical-severity flaws (9.8 out of 10) reported in 2019 and 2020.
Using data collected from customers, researchers at Palo Alto Networks analyzed the security state of over 200,000 infusion pumps and found that between 30,000 and at least 100,000 of them are vulnerable to critical security issues. The most prevalent critical-severity flaw encountered is CVE-2019-12255, a memory corruption bug in the VxWorks real-time operating system (RTOS) used for embedded devices, including infusion pump systems. According to data from Palo Alto Networks, the flaw is present in 52% of the analyzed infusion pumps, which translates into more than 104,000 devices.
In a post today, Palo Alto Networks recommends healthcare providers adopt a proactive security strategy for keeping devices safe from known and unknown threats, which starts with an accurate inventory of all systems on the network. The researchers note that not all the vulnerabilities currently affecting the analyzed infusion pumps are practical for remote attacks but they are a "risk to the general security of healthcare organizations and the safety of patients."
Over 100,000 medical infusion pumps vulnerable to years old critical bug
Data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are running with known security issues that attackers could exploit.