ICS-CERT issues advisory on Hospira infusion pump flaws
The infusion pump flaws could allow improper authorization and insufficient verification of data authenticity, DHS warns.
Last year, news surfaced that the Department of Homeland Security (DHS) was investigating suspected flaws in medical devices and hospital equipment – and now, one of the rumored devices under inspection has been found vulnerable to remotely exploitable bugs.
On Tuesday, DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory about the issue, noting that version 5.0 and prior of LifeCare PCA Infusion System was impacted by an improper authorization flaw and an insufficient verification of data authenticity vulnerability.
The infusion pump is distributed by Hospira, a Lake Forest, Ill.-based pharmaceutical and medical device firm which agreed in February to be acquired by pharma giant Pfizer for approximately $17 billion – a deal expected to close in the second half of this year. While Hospira is headquartered in the U.S., its LifeCare PCA Infusion System is used to administer medication to patients worldwide.
According to ICS-CERT, the improper authorization flaw could allow an unauthorized user to “issue commands to modify the configuration of the [infusion] pump," while the vulnerability related to insufficient verification could cause the LifeCare patient-controlled analgesia (PCA) pump to “have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source,” the advisory said.
ICS-CERT noted that the LifeCare PCA infusion pump is operated via a clinician, who is required to be present to “manually program the pump with a specified dosage before medication can be administered.” Billy Rios, an independent researcher, identified the medical device flaws and, since May 2014, ICS-CERT has been working with Hospira to address the matter.
An updated version of the LifeCare PCA Infusion System, Version 7.0, has been developed by Hospira, but it is currently under review by the U.S. Food and Drug Administration (FDA). ICS-CERT added that the release date for the new version “has not been determined,” hence the advisory to notify the public of the vulnerabilities.