[UPDATE 10.6.2015: Updated with Hospira statement.]
Drug pumps used widely in the US contain severe security vulnerabilities which could allow hackers to administer fatal doses, a researcher claims.
Billy Rios, a security expert who has been testing medical devices produced by Hospira over the past few years, has discovered serious security flaws in the firmware of drug pumps which could have catastrophic results for patients in US hospitals.
Hundreds of thousands of Hospira pumps are currently in use in hospitals across the United States.
Earlier this year, the researcher reported a series of vulnerabilities to the Department of Homeland Security and the US Food and Drug Administration (FDA) affecting PCA 3 Lifecare infusion pumps, which pre-filled pumps used to ideally administer safe levels of drugs and take away the possibility of human error.
A nurse scans medication barcodes which then tell the pump which medication library to consult to double-check safe dosage levels. If the dosage level entered into the machine is incorrect, an alert is sounded.
The original vulnerabilities reported included the ability to tap into drug libraries without authentication, giving hackers the ability to alter drug dosage upper limits and upload new libraries.
However, 400 days later, these original issues discovered in the PCA 3 and PCA5 have not been patched, despite an alert issued by the FDA in May in relation to the security problems.
In May, Rios recommended that Hospira examine its other pumps for similar security problems. In response, Hospira said the company was "not interested in verifying that other pumps are vulnerable," the researcher says.
As Hospira has ignored these security issues, Rios has decided to publicly disclose the findings of further investigation into the company's products.
In a blog post on Monday, Rios detailed his findings after independently purchasing additional pumps and analyzing product security.
The more serious vulnerabilities now discovered in these healthcare products go further than allowing hackers to forge drug library updates to the infusion pump. The original flaws did not permit cyberattackers to do more than alter dosage limits, but the newly-discovered vulnerabilities are more serious.
As the pumps do not require authenticated updates or genuine signed certificates, the firmware can be updated and exploited by an intruder to give a hacker complete control over devices -- accessible through a serial cable which connects the communications module and circuit board.
The original flaws allow maximum dosage levels to be raised and the firmware control gives hackers the ability to deliver drugs -- with potentially fatal results.
In addition, the pump models have identical hardcoded service credentials across different device lines -- and so if one set of credentials is obtained, the keys to the kingdom are available -- identical private keys across different device lines and identical encryption certificates.
Outdated software also appears to be a severe issue, as the researcher found outdated versions vulnerable to over 100 security problems and potential exploits.
The researcher writes:
"Many of Hospira's infusion pumps utilize identical software on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3 [...] I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines."
The PCA 3 Lifecare and PCA 5 Lifecare, both mentioned in the FDA advisory, are both still vulnerable. In addition, Rios says Hospira's Plum A+ Infusion Pumps, PCA Lifecare and Symbiq -- although no longer sold by Hospira -- are all vulnerable to the same security issues.
The researcher also suspects the Plum A+3, Plum 360, Sapphire and Sapphire Plus are all exploitable. However, this has not been verified.
"For the most part, we all agree that the device vendor is the best position to determine the scope and the depth of a particular security issue. They are also a key part of determining whether a particular issue can be used to cause patient harm.
If we can't trust medical device manufacturers to be transparent about publically known security issues and vendors like Hospira continue to harbor the, "we'd rather not know" attitude towards security issues, we'll have to find an alternative to medical device vulnerability analysis. I hope Hospira is the exception here."
A Hospira spokesman forwarded us the following statement concerning cybersecurity:
"Supporting safe and effective delivery of medication is Hospira's priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting.
Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security.
As we have been doing with DHS and FDA for some time, we will continue to investigate any feedback we receive on our devices. We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements."