The Security Ledger

FDA Safety Advisory Warns of Cyber Risk of Drug Pumps

The FDA issued a Safety Communication regarding vulnerabilities in the Hospira LifeCare drug infusion pump.

In-brief: In what may be a first, the Food and Drug Administration (FDA) issued a Safety Communication regarding vulnerabilities in a drug infusion pump by the firm Hospira.

In what may be a first, the Food and Drug Administration (FDA) has issued a Safety Communication regarding vulnerabilities in a drug infusion pump by the firm Hospira that could make it easy prey for hackers.

The FDA notice regarding the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems was published on Wednesday. The notice advises hospitals that are using the pump to isolate it from the Internet and “untrusted systems.” It follows disclosures by two, independent security researchers in recent months of a raft of software security vulnerabilities in the pumps, including Telnet and FTP services that were accessible without authentication.

The FDA said it and Hospira “have become aware of security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems” as well as the publication of “software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning.”

An unauthorized user with malicious intent could “access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies,” the safety advisory warned.

The advisory follows a warning by the Department of Homeland Security in April. DHS’s Industrial Control System Computer Emergency Response Team (ICS-CERT) warned of drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.

As reported by The Security Ledger last week, security researcher Jeremy Richards published the results of an independent and self-funded study of a LifeCare PCA 3 pump. Among other things, Richards discovered that the device was listening on Telnet port 23 and did not require authentication. Connecting to the device, he was brought immediately to a root shell account that gave him total, administrator level access to the pump.

Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple commands.

The pump stored wireless keys used to connect to the local wireless network in plain text on the device. That means anyone with physical access to the Pump could gain access to the local medical device network and other devices on it. Furthermore, if pumps are not properly wiped prior to being sold, those keys may be transmitted to unknown buyers on the second-hand market, Richards warned.

“The only thing I needed to get in was an interest in the pump,” he told The Security Ledger, calling the LifeCare pump “the least secure IP-enabled device” he had ever worked with.

Richards’ work followed similar work by independent researcher Billy Rios, who identified a similar pattern of software vulnerabilities and “insecure by default” configuration affecting Hospira’s MedNet software.

The FDA cited the ICS-CERT notice and advised hospitals and doctors’ offices that are using the PCA3 or PCA5 Infusion Pump Systems to take a number of steps to secure the devices, including closing Port 20 (FTP) and Port 23 (TELNET) on the devices and using interrogation techniques, such as an MD5 checksum of key files, to identify unauthorized changes to the LifeCare PCA Infusion Pump System.

Hospitals were advised to conduct a “risk assessment by examining the specific clinical use of the Hospira LifeCare PCA Infusion Pump System in your organization’s environment to identify any potential impacts of the identified vulnerabilities.”

However, in an acknowledgement of the difficult position that hospitals find themselves in, the FDA also noted that disconnecting the device from the hospital network could require manual updates to drug libraries on the device.

“Manual updates on each pump can be labor intensive and prone to entry error. If you adjust the drug-delivery settings on your Hopira LifeCare PCA Infusion Pump System manually, the FDA recommends that you verify the settings prior to starting an infusion,” FDA said.

The issuance of a “Safety Communication” for software vulnerabilities is novel. The communications are typically used to issue specific and actionable guidance concerning safety related issues with medical devices or products used by health professionals in the field.

This is believed to be the first such communication issued for a software vulnerability in a specific product. In June, 2013, the FDA issued a safety communication regarding cybersecurity of hospital networks and medical devices.

Spread the word!