It hasn't been a good couple months for medical equipment security. I told you last month about a Hospira drug pump that could give hackers full access to a hospital's secure network that connects critical lifesaving gadgets.
Then yesterday, I told you that security firm TrapX had found viruses on hospital equipment, including a blood gas analyzer and an X-ray machine. So it shouldn't surprise you that another problem has come to light.
The same researcher who found the problem in the drug pump, Billy Rios, was in the hospital recently and found himself hooked up to another model of Hospira drug pump. So, he got curious and did some checking.
It turns out that the drug pump includes a drug library that sets safe dose limits for various drug types. Unfortunately, anyone with access to the machine, even over the network, can play with those safe dose limits and cause an overdose.
Going even further, he picked up other models of Hospira pumps and found that it's simple for anyone with access to overwrite the firmware and make the pump do whatever they want. Doesn't make you feel very safe does it?
In response to this report, Hospira released this statement to Naked Security:
Supporting safe and effective delivery of medication is Hospira's priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting.
Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security.
It doesn't sound like Hospira is taking this as seriously as it perhaps could.
What do you think? Does that statement make you feel safer? Let me know in the comments.