Like something out of Mission Impossible, hackers can alter a drug pump's programming, potentially killing patients by overdosing them at a distance — from anywhere in the hospital, or even beyond.
"Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," The FDA stated in its safety alert July 31.
At present, no adverse events or actual unauthorized access to the infusion system has been reported, according to the agency. Hospira has discontinued making and distributing the system.
At issue is the so-called "Internet of things," according to BlackBerry Chief Security Officer David Kleidermacher and Security Expert Graham Murphy. In a YouTube video of their presentation at the BlackBerry Security Summit 2015, they showed just how simple it was to hack an infusion pump — using the built in Ethernet jack at the back of the pump, with the help of the device's manual, which provided the fixed IP address that let Murphy break into it. To make matters worse, Murphy was even able to hack into the WiFi on the pump, so that he could control it remotely.
Worse yet, having succeeded in breaking into the pump, Murphy showed how a hacker would also have been able to access, explore and possibly take over other parts of the no-longer-so-secure hospital's care network, to which the device was attached.
Cybersecurity expert Billy Rios first spotted the flaw in 2014. On June 8, he described the sequence of events leading up to the FDA alert on his website:
"In May of 2014, I reported to the Department of Homeland Security (and eventually the FDA) a series of vulnerabilities affecting the PCA 3 Lifecare infusion pump made by Hospira. Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3. On April 28th of this year, a researcher named Jeremy Richards of Hextech Security publicly disclosed many of the same vulnerabilities I reported in May of 2014."
