August 8, 2023 — Rapid7, Inc., a leader in cloud risk and threat detection, has released a new research report that assesses the security implications from improper de-acquisition of infusion pumps to illustrate the importance of securing networks, applications, and devices.
In Security Implications from Improper De-acquisition of Medical Infusion Pumps, the report’s primary author and principal security researcher at Rapid7, Deral Heiland, performs a physical and technical teardown of more than a dozen medical infusion pumps, a common device used in the healthcare sector to deliver and control fluids directly into a patient’s body.
“Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organisation’s networks,” warns Heiland.
Heiland says the concept of security that goes from the cradle to the grave is more than just an industry buzz phrase; it is a critical component of securing networks, applications, and devices.
“Sadly, in too many cases, cradle to grave security was either not considered at conception, or it was outright ignored,” Heiland points out.
“Even when organisations are able to take steps to mitigate concerns at the grave portion of the life cycle, they don’t.”
The reason these devices pose such a risk is a lack of (or lax) process for de-acquisitioning them before they are sold on sites like eBay. In at least eight of the 13 devices used in the study, WiFi PSK access credentials were discovered, offering attackers potential access to health organisation networks.
To remedy this risk, Heiland calls for systemic changes to policies and procedures for both the acquisition and de-acquisition of these devices.
“The policies must define ownership and governance of these devices from the moment they enter the building to the moment they are sold on the secondary market. The processes should detail how data should be purged from these devices, and by extension, many others. In the cases of medical devices that are leased, contractual agreements on the purging process and expectations should be made before acquisition,” he said.
The ultimate finding in the report is that properly disposing of sensitive information on these devices should be a priority.
“Purging them of data should not — and in many cases is not — terribly difficult. The issue lies with process and responsibility for the protection of information stored in those devices. And that is a major component of the cradle to grave security concept,” concludes Heiland.
A full copy of the report is available here.
About Rapid7
Rapid7 (Nasdaq: RPD) is advancing security with visibility, analytics, and automation delivered through our Insight cloud. Our solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behaviour, investigate and shut down attacks, and automate routine tasks. Over 10,000 customers rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organisations. For more information, visit our website, check out our blog, or follow us on LinkedIn or Twitter.
