What if the technology meant to save your life could be used to kill you?
Modern hospitals are filled with sophisticated equipment designed to make medical care safer. But new research suggests that some of those machines can be hacked, potentially allowing someone to give you a fatal dosage of medication.
Billy Rios, an independent security researcher, found that drug infusion pumps made by medical device company Hospira can be remotely tampered with. A hacker can tap into the pumps and change the amount of medication they’ve been set to dispense.
As first reported in Wired, the vulnerability affects several different versions of Hospira pumps. The Lake Forest, Illinois, based company says it has sold hundreds of thousands of the infusion pumps to hospitals worldwide.
The pumps are designed to take human error out of the drug dispensing equation. That’s a potentially life-saving task: A Journal of Patient Safety study from 2013 found that medical errors kill between 210,000 and 440,000 patients each year — 35% of which are due to incorrect dispensing of medications.
Many Hospira pumps contain barcode readers that prevent hospital staff from dispensing incorrect medication. And they have alarm systems set to notify staff if they set the dosage levels too high.
In May 2014, Rios discovered 100 vulnerabilities in the communications system in the Hospira PCA 3 Lifecare infusion pump software. Among them, a hacker could set the dosage limits on Hospira drug infusion pumps higher. That would prevent the alarms from sounding if a nurse or doctor accidentally gave the patient too high of a dose.
Rios notified Hospira, but the company failed to respond to him. Hospira stayed mum on the issue until April when Jeremy Richards, another researcher, publicly disclosed the vulnerability. In May, the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team sent out advisories notifying hospitals of the potential danger of Hospira pumps.
In a statement, Hospira says it is working with the FDA and DHS on a fix for its PCA 3 pump. But Rios says that Hospira has refused to conduct an analysis on its other pumps.
“So I purchased some additional Hospira infusion pumps and did the research myself,” Rios told CNNMoney.
Not only did Rios find that Hospira’s other pumps are vulnerable, he also discovered the potentially much more dangerous vulnerability: A hacker could purposefully give a patient a fatal overdose.
Hospira maintained that none of its devices installed in hospitals have been hacked, and it has worked with its customers about how to address the vulnerabilities. The company noted that hacking a pump would require an attacker to break through the hospital’s own security systems before hacking into the pump.
“We will continue to investigate any feedback we receive on our devices,” said Tareta Adams, a spokeswoman for Hospira. “We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements.”
The company also said its latest Plum 360 and LifeCare PCA 7.0 infusion systems were designed with cybersecurity protections in mind. The LifeCare PCA 7.0 pump is still pending FDA approval, and Rios hasn’t fully tested the Plum 360 yet. But he said the Plum 360 runs the same software that the other affected pumps use.