Serious alarm is finally being raised over drug pumps in thousands of hospitals around the world being vulnerable to hacking. A security expert said whose previous warnings were ignored – until he proved hackers could kill patients remotely.
Billy Rios, a security expert, earlier this year tested several pumps belonging to major drug pump maker Hospira, which delivers devices to over 400,000 hospitals globally. What he found was alarming, but not enough to cause widespread fear. Rios discovered that a hacker could remotely make the intravenous pump forget to warn the physician if they made a mistake setting the dosage.
So he kept on digging and later figured out how hackers could remotely change the firmware of a device and administer a fatal dosage at will.
“Anyone can do this, and it’s just a matter of time before someone figures out how,” Rios said.
“These pumps are actually just computers, and so – just as you would take your laptop and join a wireless network, these pumps are on networks as well,” Rios added.
When he initially contacted the Illinois-based manufacturer to alert them to the problem, they simply denied it existed. In their view, this was justified by the communications module and circuit board being separate inside the device.
To refute this, all Rios had to do was open one up and see that the two things were actually connected by a serial cable, and in such a way “that you can actually change the core software on the pump,” as he explained to Wired.
All they would need is rudimentary knowledge of electronics and access to the hospital network the pump is connected to. This means anybody logged on to the hospital internet could cause serious damage, including the patients themselves.
“Also, if you wanted to, for example, change the configuration of a pump, you could do that remotely, through the wireless interface. If you wanted to upload a new [so-called] ‘drug library’ to the pump, you could do that through one of the servers on the hospital network. And so, once someone understands how that’s done, they can basically issue their own commands to the pump and make the pump do things it was not designed to do,” Rios continued.
A ‘drug library’ is basically a database containing drug information and dosages for different medications. What Rios found is that the libraries didn’t have to be authenticated, nor do they carry a digital signature. This means an imposter could just substitute a local library for one of their own.
But this didn’t cause much of a stir with Hospira until Rios found the dosage could be changed remotely.
The firmware – used by a manufacturer to make remote updates to an electronic device – was always the machines’ vulnerability, according to Rios.
At least five models by the manufacturer are vulnerable, including: the standard PCA LifeCare pumps; the PCA3 and PCA5 models; the Symbiq series (which went offline in 2013 owing to safety issues) and the Plum A+ – which is arguably the scarier of the bunch, being present in over 325,000 hospitals around the world.
Rios also suspects the newer Plum A incarnation, as well as two models in the Sapphire range, are also vulnerable.
“I’ve looked at a variety of medical devices over the last couple of years. A lot of them do have security issues and, if you have software, there’s going to be bugs.”
Hospira was contacted by Wired for comment, but failed to respond.
The manufacturer didn’t want to address the initial vulnerabilities even after the Food and Drug Administration issued warnings and recommendations earlier on how to fix the bug, including how to get the devices off a common or remotely-accessible network. However, that was before Rios had tested the remainder of the devices.
Writing on his blog on Monday, Rios spoke of his surprise that Hospira simply refused to address this grave security threat. “Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3,” he writes.
In May last year, “I recommended Hospira conduct an analysis to determine whether other infusion pumps within their product lines were affected. Five months after my request for a variant analysis, I received notification that Hospira was ‘not interested in verifying that other pumps are vulnerable.’”
The company, however, issued a statement to Mashable, which had also spoken to Rios. Hospira says it’s now working with the FDA and the Department of Homeland Security (DHS) to address the vulnerabilities.
Meanwhile, Rios is working on the Sapphire line of pumps to detect further security flaws.