The security expert, Billy Rios, has been testing the vulnerabilities of various models of drug pumps manufactured by Hospira, Wired reports.
Earlier this year, he discovered that a hacker could change the maximum allowable limit for a particular drug, meaning that the device wouldn't respond with an alert if too much of a drug was administered by a caregiver, for example.
The devices all used a "drug library" that contained information about maximum dosages for different medications, and Rios had discovered that access to that library didn't have to be authenticated, and anyone on the hospital's network could load a new one, with higher maximum dosages.
This wasn't too alarming, since Rios hadn't seen any way to actually change the dosage being administered itself.
But then he kept on digging.
Rios discovered that the same connection that exists in the pump allowing Hospira to access and update the device's firmware, can also be accessed by hackers to upload a faulty update. The system doesn't require authenticated and digitally signed updates.
"And if you can update the firmware on the main board, you can make the pump do whatever you like," Rios says.
— Healthcare Tech Talk (@Healthtechtalkn) June 6, 2015
According to Rios, Hospira at first denied that such a problem existed with their pumps when he first reported his findings to them. The company insisted there was sufficient "separation" between the communications module in question and the device's circuit board.
Rios explains that although, yes, the parts are physically separate, "when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump."
Rios says he plans to demonstrate a proof-of-concept attack at the SummerCon security conference in Brooklyn, NY, in July, to call Hospira out on the claims of security.
Hospira has various models of pumps, and Rios found this particular vulnerability in their PCA3 LifeCare and PCA5 LifeCare pumps; its Symbiq line of pumps (not currently manufactured); and its Plum A+ model of pumps, of which at least 325,000 are installed in hospitals worldwide.
The Food and Drug Administration has even issued an alert about the devices, making various recommendations to the manufacturer about how to remedy the vulnerabilities, including making sure the device's network is isolated from that of the wider hospital. However that alert only mentioned the Lifecare PCA3 and PCA5 since Rios had not yet tested other models at that time.
In a blog post Monday, Rios described reluctance on the part of Hospira to take seriously or act on his reports.
"Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3," he explains.
Rios has not tested all the Hospira models current in use though and told Wired that he strongly suspected that several other contained the same vulnerabilities. After his initial report on the LifeCare models, he urged the company to inspect others, some of which he ended up buying and examining himself.
— Billy Rios (@XSSniper) June 8, 2015
"In May of 2014," he writes, "I recommended Hospira conduct an analysis to determine whether other infusion pumps within their product lines were affected. Five months after my request for a variant analysis, I received notification that Hospira was 'not interested in verifying that other pumps are vulnerable.'"
According to the FDA notice, there had been no reported incidents so far of a malicious manipulation of the pumps settings to harm someone by changing their medication dosages.