This hospital drug pump can be hacked over a network – and the US FDA is freaking out

Doctors told to stop using kit as open ports put patients at risk


The US Food and Drug Administration has told healthcare providers to stop using older drug infusion pumps made by medical technology outfit Hospira – because they can be easily hacked over a network.

"Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," the FDA said.

"Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible."

It appears from the advisory that both the FTP and telnet ports (ports 20 and 23, respectively) were left open on the drug pumps, and will need to be closed. Also, port 8443 ships with a default login password, and the FDA advises hospitals to change it as soon as possible.

Hospira says it is working with affected hospitals to deploy an update that addresses both issues.

The flaws were found by white-hat hacker Billy Rios, who reported them to the Department of Homeland Security. The DHS issued a warning last month on the matter. The flaws affect both the Symbiq Infusion System and Hospira's Plum A+ Infusion System, Version 13.4 and prior versions, and Plum A+3 Infusion System 13.6 and earlier models.

The DHS's alert warned of a whole grab-bag of flaws, including wireless, public and private keys being stored in plain text on the device, a lack of authorization checking on the devices, and their vulnerability to either a denial of service attack or remote code execution. Still other vulnerabilities were exposed in a subsequent alert this month.

Hospira stopped manufacturing the Symbiq Infusion System two years ago, but it acknowledged that the hardware is still in use in "a limited number of sites." It added that the presence of these vulnerabilities doesn't mean they can be easily exploited.

"Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls," Hospira said in a statement. "These measures serve as the primary defense against tampering with medical devices. The cybersecurity protections on infusion pumps add an additional layer of security and play a critical role in providing safe and effective patient care." ®

Similar topics


Other stories you might like

  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading

Biting the hand that feeds IT © 1998–2021