Pierluigi Paganini August 03, 2015

Food and Drug Administration invited healthcare providers to stop using older drug infusion pumps made by Hospira due to the risk of cyber attacks.

A few months ago security experts highlighted the risks related to the hacking of older drug infusion pumps, we discovered that certain versions of common drug infusion pumps are affected by numerous remotely exploitable vulnerabilities that could not open the doors to hackers.

In 2012 the US Government Accountability Office (GAO) published a report that highlighted the necessity to secure medical devices such as implantable cardioverter defibrillators or insulin pumps. The recommendation was directed to the Food and Drug Administration (FDA) and invited it to approach the problem seriously considering the risks of

In May, experts discovered that specific versions of the Hospira’s Lifecare PCA3 Drug Infusion pumps are affected by a number of vulnerabilities that could be exploited by attackers remotely to completely take over the devices.

The security expert Billy Rios discovered that both the FTP and telnet ports were left open on the Drug Infusion pumps, meanwhile port 8443 is accessible by using default login password.

The US Food and Drug Administration has taken action, the organization has invited healthcare providers to stop using older drug infusion pumps made by Hospira.

“Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” states a safety communication from the FDA.

“Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.”

Hospira confirmed that it is working with affected hospitals to solve the problem and issuing an update that would fix the security issues.

The popular hacker Billy Rios, who discovered the security issues, reported them to the Department of Homeland Security that issued a warning last month. The vulnerable systems are the Symbiq Infusion System and Hospira’s Plum A+ Infusion System, Version 13.4 and prior versions, and Plum A+3 Infusion System 13.6 and earlier models.

Despite Hospira stopped manufacturing the Symbiq Infusion System two years ago, these devices are still in use  in “a limited number of sites.”

“Hospira is continuing to assess cybersecurity across our product line” Hospira said in a statement. “Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,””These measures serve as the primary defense against tampering with medical devices. The cybersecurity protections on infusion pumps add an additional layer of security and play a critical role in providing safe and effective patient care.”

Let me close with the recommendations provided by the FDA to reduce the risk of unauthorized system access:

• Disconnect the affected product from the network.CAUTION: Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.
• Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
• Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.

Pierluigi Paganini

(Security Affairs – drug infusion pumps,  FDA)