Last year, news surfaced that the Department of Homeland Security (DHS) was investigating suspected flaws in medical devices and hospital equipment – and now, one of the rumored devices under inspection has been found vulnerable to remotely exploitable bugs.

On Tuesday, DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory about the issue, noting that version 5.0 and prior of LifeCare PCA Infusion System was impacted by an improper authorization flaw and an insufficient verification of data authenticity vulnerability.  

The infusion pump is distributed by Hospira, a Lake Forest, Ill.-based pharmaceutical and medical device firm which agreed in February to be acquired by pharma giant Pfizer for approximately $17 billion – a deal expected to close in the second half of this year. While Hospira is headquartered in the U.S., its LifeCare PCA Infusion System is used to administer medication to patients worldwide.

According to ICS-CERT, the improper authorization flaw could allow an unauthorized user to “issue commands to modify the configuration of the [infusion] pump,” while the vulnerability related to insufficient verification could cause the LifeCare patient-controlled analgesia (PCA) pump to “have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source,” the advisory said.

ICS-CERT noted that the LifeCare PCA infusion pump is operated via a clinician, who is required to be present to “manually program the pump with a specified dosage before medication can be administered.” Billy Rios, an independent researcher, identified the medical device flaws and, since May 2014, ICS-CERT has been working with Hospira to address the matter.

An updated version of the LifeCare PCA Infusion System, Version 7.0, has been developed by Hospira, but it is currently under review by the U.S. Food and Drug Administration (FDA). ICS-CERT added that the release date for the new version “has not been determined,” hence the advisory to notify the public of the vulnerabilities.

In the meantime, DHS advised owners of the infusion pump to take certain mitigation steps to prevent exploitation, including closing unused ports (particularly Port 20/FTP and Port 23/TELNET), implementing a defense-in-depth security strategy for environments operating medical devices (by layering physical and logical security), and isolating the infusion pump from the internet and “untrusted systems,” the alert said.

“When remote access is required, use secure methods, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available,” the advisory continued. “Also recognize that VPN is only as secure as the connected devices.”

Device owners should also “produce an MD5 checksum of key files to identify any unauthorized changes,” ICS-CERT recommended.

The improper authorization bug was assigned a CVSS (Common Vulnerability Scoring System) base score of 10, while the insufficient verification of data authenticity vulnerability was assigned a base score of 7.6.