Billy Rios, a security expert conducting research on medical devices manufactured by Hospira, found deadly serious security flaws in drug delivery pumps. In short: hacked medical pumps could kill you. Currently, there are hundreds of thousands of Hospira pumps in hospitals throughout the U.S.
I wrote a piece last month regarding an FDA alert of such security issues to the FDA and Department of Homeland Security. The affected pumps included the PCA 3 and PCA 5 Lifecare infusion line. These pre-filled pumps deliver safe and accurate levels of medications thus eliminating the risk of human error.
Normally, a medical professional would scan a barcode telling the pump which medication library to access to confirm safe dosage. An alert sounds if the manually entered dose is incorrect. Failsafe, right?
Wrong. Rios’ first discovery revealed that hackers could access the medication libraries and change uppers dosage limits as well as upload completely new libraries. Shockingly, over a year has passed since Rios warned Hospira and the company has changed nothing, even after the FDA issued its alert.
Following the FDA alert, Rios suggested to Hospira that it investigate its other pumps for similar security risks. He said the company was “not interested in verifying that other pumps are vulnerable.”
Rios decided he’d do Hospira’s work for them and purchased a variety of pumps for independent testing. His results are listed in his blog, released on Monday. The results of Rios’ testing are shocking.
While the original security issues were bad enough, hackers were restricted to altering dosage limits and uploading new libraries. The newly discovered issues are far more serious. Hackers can now access the pumps’ firmware and gain complete control of the device, allowing them to not only alter dosage but to actually deliver the drugs to patients. Depending on the medication, this gives hackers the ability to kill.
On top of everything else, the hardcoded service credentials for the pumps are identical across product lines. In other words, hack one and you can hack them all. The devices’ software was also found to be outdated opening them to over 100 other security issues.
According to Rios, “For the most part, we all agree that the device vendor is the best position to determine the scope and the depth of a particular security issue. They are also a key part of determining whether a particular issue can be used to cause patient harm. If we can’t trust medical device manufacturers to be transparent about publically known security issues and vendors like Hospira continue to harbor the, ‘we’d rather not know’ attitude towards security issues, we’ll have to find an alternative to medical device vulnerability analysis. I hope Hospira is the exception here.”
Of course, Hospira’s PR representative quickly commented via an issued statement, “Supporting safe and effective delivery of medication is Hospira’s priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting.
Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security.
As we have been doing with DHS and FDA for some time, we will continue to investigate any feedback we receive on our devices. We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements.”
Don’t you feel comforted? I know I don’t. It seems like the response quoted earlier is the “real” one and this last statement is a “CYA” move. Here’s hoping that hackers devote their time to changing Right Wing hate sites to gay porn instead of pumping lethal doses of morphine into people’s MeeMaws.