Infusion pumps sold on secondary markets in the US were found to still carry sensitive information about the hospitals that once owned them, researchers have found.

Infusion pumps for sale on eBay (representative picture). © eBay 2023

Rapid7 – a cybersecurity firm that deals with software vulnerabilities – examined 13 infusion pump device brands. It found that eight of the 13 devices held sensitive information, and most included WiFi passwords that could still be valid in US hospitals.

The devices are sold on second-hand – sometimes through online marketplaces like eBay – when medical organisations upgrade to newer models. This research highlights an ongoing issue within medical devices where potentially critical information can be left on machines and not properly data-wiped clean prior to resale.

Shawn Surber, senior director and healthcare strategist at cybersecurity firm Tanium, said healthcare institutions: “Should be just as disciplined disposing of devices as they are with biological materials.”

Infusion pumps – devices used to deliver fluids into a patient’s body – have been an ongoing source of concern for cybersecurity experts. A 2022 study conducted by cybersecurity firm Palo Alto Networks revealed that as many as 75% of smart infusion pumps – out of 200,000 – connected to hospital networks may be vulnerable to digital attacks.

John Gallagher, vice president of internet-of-things at security company Viakoo Labs, said: “Whether it is cyber hygiene, proper network setup, or as in this case purging and decommissioning devices it is a new skill set to these teams. It should be addressed through better cross-team coordination or training – or some combination thereof.”