Hospira LifeCare Infusion Pumps Could Be Hacked: FDA Warns

Some Hospira infusion pumps have a security vulnerability that could allow a hacker to gain control of the drug dosage delivered by the device, potentially causing serious harm or death for the user, federal health officials warn. 

The FDA issued a safety communication for the Hospira LifeCare PCA3 and PCA5 infusion pump systems on May 13, warning that someone could, theoretically, take control of these devices, which release therapeutic drugs or anesthetics into patients’ bodies.

To date, there have been no incidents involving the pumps being hacked. However, the FDA warns that data recently released about the vulnerabilities could provide hackers with the information they need to take control of the computerized drug pumps, which are designed to be programmed through a wireless network or via a Ethernet connection.

“An independent researcher has released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning,” the FDA warning indicates. “An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.”

This is not the first time there has been concern over the possibility that someone could take control of a computerized infusion pump.

Concerns regarding insulin pump security problems were first raised in August 2011, at the Black Hat security conference in Las Vegas. That was followed by a demonstration in 2012 by a McAfee, Inc. research architect, who showed attendees at the RSA security conference how hackers could remotely access some pumps from up to 300 feet away.

The problems were first highlighted by Jerome Radcliffe, another McAfee employee, who has since worked with the Department of Homeland Security and the Computer Emergency Response Team (CERT) to push insulin pump vendors to address the problem seriously.

The FDA has issued a number of recommendations to health care facilities which the agency’s investigators believe can reduce the risk of unauthorized access to the devices. The recommendations include:

• Following the system security recommendations from a recently released advisory by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
• Performing a risk assessment of the clinical use of the infusion pumps to determine whether to maintain whether wireless connectivity is needed.
• Follow good cybersecurity practices for medical devices issued by the FDA in June 2013, including restrictions on unauthorized access, making sure firewall and antivirus software are up-to-date, and monitoring networks for unauthorized activity.

The FDA also notes that an upcoming letter from Hospira to its customers will include more risk mitigation strategies. The agency says the vulnerabilities are currently under investigation by the FDA, Hospira and the Department of Homeland Security.