UPDATED Monday July 20 with comment from Hospira.
BROOKLYN, NEW YORK — Medical infusion pumps, which intravenously deliver drugs to millions of hospital patients in the United States every year, often have basic security flaws that could let hackers deliver fatal overdoses and which manufacturers may be unwilling to address, a security researcher said at the Summercon 2015 hacker conference here yesterday (July 18).
Billy Rios, a former U.S. Marine and Google and Microsoft security engineer who now runs his own firm in the Bay Area, singled out infusion pumps made by Lake Forest, Illinois-based Hospira as an example, although he implied other brands probably had similar issues. He added that Hospira's pump-management software had a secret administrative account with a built-in, hard-coded password of "12345678".
"What everyone wants to know about medical device hacks is, can you kill someone?" Rios said. "The answer is yes. But the manufacturers will deny it."
Hospira, Rios said, had refused to address the safety concerns he privately communicated to the company nearly a year ago — until it recently learned he'd be giving his presentation in New York this weekend.
"Then they wanted a conference call," he laughed. "It's kind of appalling."
Ironically, another researcher looking into the same problems with Hospira infusion pumps went public with his own results this past spring, prompting the Food and Drug Administration to issue a warning about two models of Hospira infusion pumps.
Rios, however, thinks there are similar problems with other Hospira infusion pumps, since several models share pieces of hardware and software. He found that several pumps let a remote user communicate directly with the pumps' operating systems without having to enter a password, and that some pumps will accept software updates without asking for authentication.
"I was actually in the hospital last year hooked up to an infusion pump," Rios said. "It probably saved my life. I don't want people to stop using these things. We need to accept some of the risk. We can't control the fact that we have bugs in our software, but we can control the response we take when we learn of security issues."
To demonstrate his findings, Rios played a video clip of himself remotely controlling an infusion pump, simulating button presses to put the device into a special state in which it can be serviced. Once in that state, various maintenance tasks can be performed — including a test that overrides drug-dosage limits and instead empties an entire drug vial at once.
A hacker who was on a hospital's network — "in some hospitals, you just plug in an Xbox and you're on the network," Rios said — might be able to use those techniques to deliver a fatal dose of painkillers to a patient in another room or on another floor.
Even worse, flaws in administrative software that Rios demonstrated could let a malicious hacker kill several or dozens of patients at once. Rios said he examined Hospira's MedNet software, with which hospital personnel can manage multiple infusion pumps connected via Wi-Fi or Ethernet, and discovered an undocumented "backdoor" user account that allowed remote administrative access to the system.
The secret account's password was factory-set to "12345678".
"Healthcare is increasingly depended on computers and software, and medical devices are computers with software," Rios said. Yet, he added, "it's possible to sell a device without any form of cybersecurity review. And if you walk into a hospital today, there's a legacy problem — probably none of the devices have gone through any manufacturer security review."
The real obstacle to better medical-device security, Rios said, is what he called the interdependent "love triangle" of healthcare providers, device manufacturers and regulatory bodies.
"You basically have to hit all three of these wickets for fixes to work," he said. "Device makers won't do anything until the hospitals and the FDA tell them to."
The FDA is becoming more aware of the overall problem, as the recent advisory about Hospira infusion pumps showed, and Rios said some hospitals are now doing their own security assessments of medical devices, but both are just the beginning of what needs to be done, he added.
"We have a really long road ahead of us in terms of medical devices," Rios said. "When someone says there's never been any instance of anyone using an infusion pump to kill someone, my response is to say, 'Let's not rely on the goodwill of strangers.'"
UPDATE: "It's important to emphasize that there has been no known instance of an infusion pump cybersecurity attack in a clinical setting. Hospira has a team of internal and external experts working hard so that this remains the case," a Hospira spokeswoman told Tom's Guide.
"Cybersecurity protection of connected devices is paramount," the spokeswoman added. "Hospira has been working with customers for more than a year to further enhance cybersecurity and address vulnerabilities, reported by certain private individuals, that have not been seen in a clinical setting."
- Best Fitness Trackers for Running, Swimming and Training
- Cyber(Heart) Attack: How to Make Medical Devices Secure
- How to Hack Nearly Any Wireless Device