Security Experts:

Several Hospira Drug Pumps Use Vulnerable Software: Researcher

A researcher who has analyzed the software installed on infusion pumps manufactured by Hospira says several models are plagued by the vulnerabilities disclosed earlier this year.

Roughly one year ago, security researcher Billy Rios privately disclosed several vulnerabilities in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems. Some of the same flaws were independently identified and made public earlier this year by Canada-based researcher Jeremy Richards.

In May, both ICS-CERT and the Food and Drug Administration (FDA) published alerts to warn users about the security bugs which, according to researchers, can be exploited to take complete control of affected drug pumps and possibly even cause harm to users.

The list of security issues includes hardcoded credentials, shared private keys and encryption certificates, outdated software, improper authorization, and insufficient verification of data authenticity.

The security advisories from ICS-CERT and the FDA covered the Hospira LifeCare PCA3 and PCA5 drug infusion pumps. The vulnerabilities identified by researchers should be fixed in version 7, but this variant is still being reviewed by the FDA so it’s not yet available.

After determining that many of the vulnerabilities in PCA3 were related to design and insecure deployment, and after noticing that the vulnerable firmware contained references to other Hospira products, Rios asked the manufacturer to conduct its own analysis to determine if other drug pumps were affected as well.

Since Hospira said it wasn’t interested in verifying if its other products were vulnerable, Rios decided to conduct the tests himself. The expert has found that many of Hospira’s infusion pumps use the same software, meaning that they are affected by the same flaws as PCA3 pumps.

Rios says the vulnerabilities affect Plum A+, Lifecare PCA, and Symbiq pumps. While not confirmed, the researcher believes Plum A+3, Plum 360, Sapphire, and SapphirePlus infusion systems are also impacted. It’s worth noting that Symbiq pumps have been phased out by Hospira.

“The lack of transparency from Hospira is certainly disappointing. While we are certainly capable of conducting variant analysis, researchers conducting variant analysis across a company’s product lines is not the most efficient approach,” Rios said on Monday. “Given there is a public blog post, Wired article, DHS advisory, and FDA safety alert discussing the issues affecting the PCA 3, combined with the fact that the software is IDENTICAL on many Hospira communication modules, I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines.”

“If we can’t trust medical device manufactures to be transparent about publicly known security issues and vendors like Hospira continue to harbor the, ‘we’d rather not know’ attitude towards security issues, we’ll have to find an alternative to medical device vulnerability analysis. I hope Hospira is the exception here,” Rios added.

Hospira says it has been actively working with the DHS, which operates ICS-CERT, and the FDA regarding the reported infusion pump vulnerabilities. The company has provided customers with instructions on how to address the security bugs, and noted that there is no evidence of cybersecurity breaches of Hospira devices in a clinical setting.

"With the company's global device strategy announced in 2013, Hospira took a proactive approach to enhancing our device portfolio. Cybersecurity is one of many areas we've addressed in developing new infusion pumps. For example, our next-generation infusion systems -- the Plum 360™ (now available and recently FDA-cleared) and the LifeCare™ PCA 7.0 infusion system (pending FDA clearance) -- were designed with further cybersecurity protections in place," Hospira told SecurityWeek.

"Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security," the company added.

"As we have been doing with DHS and FDA for some time, we will continue to investigate any feedback we receive on our devices. We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements," Hospira said. "Cybersecurity in healthcare devices is an issue that extends beyond infusion pumps. It is critical to continue multi-stakeholder dialogue to develop solutions to address this evolving area and Hospira will continue to be an active participant in industry discussions on this topic."

The company noted that the PCA infusion pumps covered in the recent advisories are only distributed in the United States and Canada. The Plum A+ and Plum A+ 3 models are distributed globally.

In a report published last week, TrapX Security detailed three cyberattacks against hospitals in which malicious actors leveraged compromised medical devices as pivot points.

*Updated with statement from Hospira

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.