Hospital drug pump still open to cyberattack, say researchers

10 Jun 2015

Warning of a potentially terrifying scenario, a team of cybersecurity researchers has pointed the finger at Hospira, a drug delivery equipment manufacturer, over failing to fix a series of vulnerabilities affecting its PCA 3 Lifecare infusion pump, which could allow it to issue wrong doses of medication.

Hospira, which has a base of operations in Ireland, has supposedly been aware of the vulnerability for more than 400 days after the issue was reported to the US Food and Drug Administration (FDA) by Hextech Security researcher Jeremy Richards.

Speaking in April of this year, Richards had said of the PCA3 pump: “This device is literally the least-secure IP-enabled device I’ve ever touched in my life.”

Now, another researcher, Billy Rios, has said that despite the launch of a new version of the pump, there has been no change in its cybersecurity capabilities, or lack thereof.

In this time, he says, not one coding issue has been changed to close the vulnerabilities that showed how, with access to a hospital’s internal network, he would be able to change the previously set limits of the amount of drugs a patient could receive.

‘Impossible to believe Hospira was unaware’

This wasn’t just a PCA 3 issue, but also an issue among a number of other Hospira devices, despite the US Department of Homeland Security stating that it was aware of the issue with the original unit and that the newer version of the product would fix the vulnerabilities.

Rios said that, in his opinion, the company are acting dangerously in doing nothing about the issue: “I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines.”

Speaking to the BBC, Hospira dismissed the idea that it could be a genuine threat as there have yet to be any confirmed cases of one of the pumps being compromised.

“Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,” a Hospira spokesperson said.

Drug pump (not Hospira product) with patient image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com