Hospital Drug Pumps Hack Warning

A cyber security expert has said hospital drug pumps produced by a leading medical supplier could be hacked because of security weaknesses.

Medical supplier Hospira said patient safety was its "priority" and that it was working with regulators to fix the issues.

The firm said: "Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls.

"As we have been doing with DHS (Department of Homeland Security) and FDA (Food and Drug Administration) for some time, we will continue to investigate any feedback we receive on our devices. We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements."

The firm also said it had submitted a new version of its LifeCare Infusion System for the approval to the FDA.

The US Department of Homeland Security said Hospira had "validated" vulnerabilities in this product and the new version would mitigate those security weaknesses.

Cyber security experts Billy Rios said he had found that drug updates, which are the upper and lower limits for the amounts of medication a patient can safely receive, could be altered remotely.

Mr Rios wrote: "What I found was very interesting, many of Hospira's infusion pumps utilise identical software on their infusion pumps' communications module, making them vulnerable to the exact same security issues associated with the PCA3 [the model originally identified with weaknesses]."

Mr Rios said he found that the pumps used outdated software and had identical encryption certificates, private keys and service credentials.

Jeremy Richards, security researcher from Oxtech Security described the PCA3 model as the "least secure IP-enabled device" he had ever seen.

In a blog post, Richards wrote: "I would personally be very concerned if this device was being attached to me.

"It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo."

print this article

Return to internet news headlines
View Internet News Archive

Share with: