Regulatory Focus™ > News Articles > Government Cybersecurity Officials Warn Hospira Device Vulnerable to Hackers

Government Cybersecurity Officials Warn Hospira Device Vulnerable to Hackers

Posted 06 May 2015 | By Alexander Gaffney, RAC

Government Cybersecurity Officials Warn Hospira Device Vulnerable to Hackers

US cybersecurity officials have issued a warning regarding a medical device manufactured by Hospira, saying the device was identified as having several vulnerabilities which have since been patched.

The warning, issued on 5 May 2014 by the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) focuses on Hospira's LifeCare PCA Infusion System, an intravenous pump used to deliver medication to patients.

ICS-CERT said that a security researcher, Billy Rios, had approached it more than a year ago after identifying "an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira's LifeCare PCA Infusion System."

The agency said it has spent the last year working with Hospira to close the vulnerabilities, which ICS-CERT said could have allowed "unauthenticated users" to access the infusion pump's controls, allowing the user to alter the amount—or even the type—of product dispensed.

"As a result, anyone on the hospital’s network—including a patient in the hospital or a hacker accessing the pumps over the internet—can load a new drug library to the pumps that alters the limits, thereby potentially allowing the delivery of a deadly dosage," Wired wrote of Rios' findings in a report earlier this year.

"These vulnerabilities could be exploited remotely," ICS-CERT confirmed in its public notice. Officials said they were not aware of "known public exploits specifically [targeting] these vulnerabilities," though an attacker with "low skill" would be able to take advantage of at least one of the known vulnerabilities, it said.

The "identified vulnerabilities" have since been patched by Hospira, and the updated software is undergoing review by the US Food and Drug Administration (FDA), ICS-CERT explained. "The release date for the new version has not been determined."

ICS-CERT's website contains a number of recommendations meant to protect Hospira's LifeCare PCA device from being exploited.

According to a 2014 report by Reuters, the Hospira device is one of several dozen devices being analyzed by ICS-CERT for vulnerabilities.


ICS-CERT Statement

Categories: Regulatory News

Regulatory Focus newsletters

All the biggest regulatory news and happenings.