Infusion pumps being sold on secondary markets like eBay were found to still carry troves of sensitive information about the hospitals that once owned them, researchers have found.
Rapid7 principal security researcher Deral Heiland and several others examined 13 infusion pump device brands, like Alaris, Baxter and Hospira, finding access credentials and authentication data for their previous owners. The machines are crucial devices which sit next to hospital beds and transmit fluids, medication or nutrients into a patient's circulatory system.
The examination sheds light on a persistent problem within the medical device field: the critical stored data left on infusion pump devices that is not properly purged prior to de-acquisition. The devices are often sold on secondary markets when hospitals upgrade them or replace them with newer models.
Eight of the 13 examined devices held sensitive information — which Heiland said was evidence that some had indeed been properly purged of data before being sold on sites like eBay.
The information left on most of the devices would offer someone WiFi passwords that had a high probability of still being valid at medical organizations in the U.S.
“Defining restrictions on what can or cannot be sold online becomes difficult. How would the market — Ebay, for example — police that to identify whether devices have or have not been purged?” Heiland told Recorded Future News.
“In this case, I believe the responsibility lies with both parties. First, embedded medical technology vendors should provide a simple and well-documented method for purging the devices prior to their decommissioning and transfer. Second, medical organizations that leverage these technologies should implement processes and procedures (cradle to grave) that ensure the devices are properly purged of data prior to being decommissioned and sold or transferred to another party.”