A prominent security researcher is warning that additional infusion pump models manufactured by Hospira are vulnerable to intrusion by hackers, just weeks after a similar warning prompted action by the US Food and Drug Administration (FDA) and the US Department of Homeland Security (DHS).
In May 2015, DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released a warning regarding potential security vulnerabilities within Hospira's LifeCare PCA Infusion systems. The devices are used to deliver medication to patients, but research by Billy Rios, a prominent security analyst, determined the devices' authorization controls could be circumvented.
ICS-CERT said the now-patched vulnerabilities could have allowed "unauthenticated users" to access the infusion pump's controls, allowing the user to alter the amount of product dispensed.
"As a result, anyone on the hospital’s network—including a patient in the hospital or a hacker accessing the pumps over the internet—can load a new drug library to the pumps that alters the limits, thereby potentially allowing the delivery of a deadly dosage," Wired wrote of Rios' findings in a report earlier this year.
"These vulnerabilities could be exploited remotely," ICS-CERT confirmed in its public notice. Officials said they were not aware of "known public exploits specifically [targeting] these vulnerabilities," though an attacker with "low skill" would be able to take advantage of at least one of the known vulnerabilities, it said.
Shortly after ICS-CERT's warning, FDA issued a public safety communication confirming the security vulnerabilities and urging healthcare facilities to take efforts to patch them.
Now Rios says Hospira's PCA3 and PCA5 infusion pumps aren't the only devices potentially affected by the same vulnerabilities.
In a warning posted on his website on 8 June 2015, Rios said his independent research had determined that several additional pumps may also be susceptible to unauthorized intrusion.
Hospira's Plum A+ Infusion Pumps, PCA Lifecare and Symbiq (formerly sold by Hospira) are "vulnerable to the exact same security issues associated with the PCA3 pumps," Rios claimed, saying he had personally verified the existence of the problems after testing devices purchased independently.
FDA is reportedly already aware of the vulnerabilities, and had asked Rios to withhold information about the issue, Wired reports. However, Rios refused, saying Hospira has refused to acknowledge the alleged issue, and that hospitals deserved to know immediately given the pumps’ potential risks.
"I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines," Rios concluded.