Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Hospira Drug Pumps Use Vulnerable Software: Researcher

A researcher who has analyzed the software installed on infusion pumps manufactured by Hospira says several models are plagued by the vulnerabilities disclosed earlier this year.

A researcher who has analyzed the software installed on infusion pumps manufactured by Hospira says several models are plagued by the vulnerabilities disclosed earlier this year.

Roughly one year ago, security researcher Billy Rios privately disclosed several vulnerabilities in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems. Some of the same flaws were independently identified and made public earlier this year by Canada-based researcher Jeremy Richards.

In May, both ICS-CERT and the Food and Drug Administration (FDA) published alerts to warn users about the security bugs which, according to researchers, can be exploited to take complete control of affected drug pumps and possibly even cause harm to users.

The list of security issues includes hardcoded credentials, shared private keys and encryption certificates, outdated software, improper authorization, and insufficient verification of data authenticity.

The security advisories from ICS-CERT and the FDA covered the Hospira LifeCare PCA3 and PCA5 drug infusion pumps. The vulnerabilities identified by researchers should be fixed in version 7, but this variant is still being reviewed by the FDA so it’s not yet available.

After determining that many of the vulnerabilities in PCA3 were related to design and insecure deployment, and after noticing that the vulnerable firmware contained references to other Hospira products, Rios asked the manufacturer to conduct its own analysis to determine if other drug pumps were affected as well.

Since Hospira said it wasn’t interested in verifying if its other products were vulnerable, Rios decided to conduct the tests himself. The expert has found that many of Hospira’s infusion pumps use the same software, meaning that they are affected by the same flaws as PCA3 pumps.

Rios says the vulnerabilities affect Plum A+, Lifecare PCA, and Symbiq pumps. While not confirmed, the researcher believes Plum A+3, Plum 360, Sapphire, and SapphirePlus infusion systems are also impacted. It’s worth noting that Symbiq pumps have been phased out by Hospira.

Advertisement. Scroll to continue reading.

“The lack of transparency from Hospira is certainly disappointing. While we are certainly capable of conducting variant analysis, researchers conducting variant analysis across a company’s product lines is not the most efficient approach,” Rios said on Monday. “Given there is a public blog post, Wired article, DHS advisory, and FDA safety alert discussing the issues affecting the PCA 3, combined with the fact that the software is IDENTICAL on many Hospira communication modules, I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines.”

“If we can’t trust medical device manufactures to be transparent about publicly known security issues and vendors like Hospira continue to harbor the, ‘we’d rather not know’ attitude towards security issues, we’ll have to find an alternative to medical device vulnerability analysis. I hope Hospira is the exception here,” Rios added.

Hospira says it has been actively working with the DHS, which operates ICS-CERT, and the FDA regarding the reported infusion pump vulnerabilities. The company has provided customers with instructions on how to address the security bugs, and noted that there is no evidence of cybersecurity breaches of Hospira devices in a clinical setting.

“With the company’s global device strategy announced in 2013, Hospira took a proactive approach to enhancing our device portfolio. Cybersecurity is one of many areas we’ve addressed in developing new infusion pumps. For example, our next-generation infusion systems — the Plum 360™ (now available and recently FDA-cleared) and the LifeCare™ PCA 7.0 infusion system (pending FDA clearance) — were designed with further cybersecurity protections in place,” Hospira told SecurityWeek.

“Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security,” the company added.

“As we have been doing with DHS and FDA for some time, we will continue to investigate any feedback we receive on our devices. We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements,” Hospira said. “Cybersecurity in healthcare devices is an issue that extends beyond infusion pumps. It is critical to continue multi-stakeholder dialogue to develop solutions to address this evolving area and Hospira will continue to be an active participant in industry discussions on this topic.”

The company noted that the PCA infusion pumps covered in the recent advisories are only distributed in the United States and Canada. The Plum A+ and Plum A+ 3 models are distributed globally.

In a report published last week, TrapX Security detailed three cyberattacks against hospitals in which malicious actors leveraged compromised medical devices as pivot points.

*Updated with statement from Hospira

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.