Smiths Medical, the Plymouth-based maker of hospital infusion pumps, confirmed earlier this month cybersecurity vulnerabilities in its Medfusion 4000 drug pumps, which are used in pediatric cases worldwide.
The company said Monday that it has received no reports of computer hackers exploiting the vulnerabilities.
The U.S. Homeland Security Department published an advisory Sept. 7 revealing that three versions of Smiths Medical's Medfusion 4000 drug infusion pump contain vulnerabilities that would allow a skilled computer hacker to remotely take control of the device and alter how it dispenses drugs.
Smiths Medical said it is working with Homeland Security and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on the issue and plans to roll out new software for versions 1.1, 1.5 and 1.6 in January.
"In the meantime," Smiths spokeswoman Meghan Cushing said via e-mail, "we've contacted our customers with actions they can take immediately to safeguard their devices, and continue safe delivery of fluids and medication."
On its website, Smiths Medical promotes the Medfusion 4000 pump for its ability to accurately dispense small doses of drugs in critical care situations, including in neonatal and pediatric intensive care.
Brett Landrum, Smiths Medical chief technology officer, apologized to Medfusion 4000 customers in a Sept. 7 letter, but noted that the chances of anyone actually exploiting the vulnerabilities was "highly unlikely."
A company spokeswoman confirmed Monday that no reports of malicious exploits have been received.
Todd Carpenter, chief engineer with Minneapolis-based cybersecurity firm Adventium Labs, urged hospitals that use Medfusion 4000 pumps to take the warnings seriously.
"Please, if you are from a clinic that uses these devices, follow the manufacturer's recommendations to update the devices. That will drastically reduce your risk," Carpenter said in an e-mail. "Monitor all your manufacturer updates, and keep your devices patched. While this is an expensive part of your operation, it is definitely important."
The advisory from Homeland Security said an independent security researcher named Scott Gayou discovered the vulnerabilities in the device. Cushing confirmed that on Monday and said Gayou approached Smiths Medical first with his concerns.
"The independent researcher notified us of the exploit after purchasing the device from a secondary market and spending several hundred hours attempting to identify vulnerabilities," Cushing wrote. "At that point, we immediately engaged with the FDA Center for Devices and Radiological Health and ICS-CERT to investigate the situation and find a solution."
Federal officials have recently publicized several cybersecurity vulnerabilities involving medical devices.
Last month, the Food and Drug Administration approved a software update for hundreds of thousands of implanted pacemakers made by Minnesota's St. Jude Medical. The pacemakers were designed to communicate wirelessly with a bedside monitor, but the communications system can also be exploited by a hacker to deplete a device battery or administer inappropriate electric shocks.
"Many medical devices — including St. Jude Medical's implantable cardiac pacemakers — contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits," the FDA alert said. "As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cyber-security vulnerabilities, some of which could affect how a medical device operates."
Just last week, Homeland Security published a cybersecurity advisory for versions of Philips' IntelliView MX40 Patient Worn Monitor used in wireless area networks. Two weeks ago, Homeland sent out a cybersecurity advisory for SmartLog Diabetes Management Software, made by i-SENS.
One of the best-known examples happened in July 2015, when the FDA urged hospitals to stop using Hospira's Symbiq drug-infusion pump because security vulnerabilities could have allowed hackers to access the device through a hospital's IT network and change dosages of drugs being administered. Hospira had already stopped selling the pumps by the time the FDA sent its alert.
Adventium's Carpenter said it wasn't surprising that vulnerabilities would crop up in long-lasting machines like bedside drug-infusion pumps, which are widely available second hand.
On Monday, a search for the term "infusion pump" on eBay turned up hundreds of devices for sale.
"Infusion pumps of one sort or another are in pretty much every hospital in the U.S. Mechanically, they are well-built, and last a very long time. Frankly, many of them were so well-built mechanically that they have outlived their software," Carpenter wrote.