nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

This hospital drug pump can be hacked over a network – and the US FDA is freaking out

Doctors told to stop using kit as open ports put patients at risk

By Iain Thomson, 1 Aug 2015

The US Food and Drug Administration has told healthcare providers to stop using older drug infusion pumps made by medical technology outfit Hospira – because they can be easily hacked over a network.

"Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," the FDA said.

"Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible."

It appears from the advisory that both the FTP and telnet ports (ports 20 and 23, respectively) were left open on the drug pumps, and will need to be closed. Also, port 8443 ships with a default login password, and the FDA advises hospitals to change it as soon as possible.

Hospira says it is working with affected hospitals to deploy an update that addresses both issues.

The flaws were found by white-hat hacker Billy Rios, who reported them to the Department of Homeland Security. The DHS issued a warning last month on the matter. The flaws affect both the Symbiq Infusion System and Hospira's Plum A+ Infusion System, Version 13.4 and prior versions, and Plum A+3 Infusion System 13.6 and earlier models.

The DHS's alert warned of a whole grab-bag of flaws, including wireless, public and private keys being stored in plain text on the device, a lack of authorization checking on the devices, and their vulnerability to either a denial of service attack or remote code execution. Still other vulnerabilities were exposed in a subsequent alert this month.

Hospira stopped manufacturing the Symbiq Infusion System two years ago, but it acknowledged that the hardware is still in use in "a limited number of sites." It added that the presence of these vulnerabilities doesn't mean they can be easily exploited.

"Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls," Hospira said in a statement. "These measures serve as the primary defense against tampering with medical devices. The cybersecurity protections on infusion pumps add an additional layer of security and play a critical role in providing safe and effective patient care." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing