Researcher on Medical Device FlawsRios Explains Infusion Pump Vulnerabilities that Led to Alerts
Last year, independent security researcher Billy Rios discovered security vulnerabilities in medical infusion pumps, which eventually led the Department of Homeland Security and the Food and Drug Administration to issue recent warnings. Now, he explains his findings in this exclusive interview with Information Security Media Group.
On May 13, the FDA and DHS' Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, each issued alerts for healthcare facilities using the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The advisories warned that security vulnerabilities in the infusion pumps manufactured by Hospira could be remotely exploited by an unauthorized user (see FDA: Infusion Pumps Have Vulnerabilities).
The government alerts came about one year after Rios said he discovered the vulnerabilities while testing the infusion pumps along with some other medical devices he independently purchased to test.
"We found a large number of things [wrong with the products' software]," he says. "When you buy a [medical] device, you're not just buying the device, you're buying an entire ecosystem that supports that device." Medical devices such as the Hospira infusion pumps, are "just a computer under the hood. It's a processor and software, and that software is written by a person ... and human beings make mistakes."
After discovering the vulnerabilities, Rios notified DHS, and soon thereafter the FDA was in communication with Hospira, the manufacturer, the researcher says. In the meantime, another independent researcher based in Canada also discovered the infusion pump vulnerabilities and publicly released the flaws, prompting the warnings from the federal agencies.
In the interview, Rios discusses:
- How he found the vulnerabilities and what motivated him to examine the pumps;
- Why the vulnerabilities present potential safety risks to patients and security risks to healthcare organizations;
- What transpired after Hospira was alerted by the U.S. government of the vulnerabilities that Rios discovered;
- What other medical devices makers and healthcare organizations should learn from the Hospira infusion pump security vulnerabilities.
Rios is founder of the independent security research and services firm Laconicly. Prior to launching Laconicly, Rios worked at several security consulting firms, including Qualys and Cylance Inc. He also previously worked as a security engineer and manager at Google and Microsoft.
Hospira's Latest Comments
In a statement, Hospira tells ISMG: "There are no instances of cybersecurity breaches of Hospira devices in a clinical setting. ... Hospira has taken a proactive approach to address potential cybersecurity vulnerabilities. Hospira has communicated with existing customers on how to address the vulnerabilities and continues to reach out to customers following the recent advisories from the FDA and DHS. These advisories acknowledge that Hospira has been actively engaged with the FDA and DHS regarding developments around device cybersecurity."
The company also notes: "Hospira has put further cybersecurity protections in place in our next-generation LifeCare PCA device and software, which were submitted in December 2014 to FDA for clearance."
An in addressing vulnerabilities in its products, Hospira adds: "It's important to understand that exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These network security measures serve as the first and strongest line of defense against tampering, and the pumps and software provide an additional layer of security. As stated in the DHS advisory, it is not possible to remotely operate the LifeCare PCA infusion pump. In the unlikely event that someone is able to gain unauthorized access to an infusion device, the pumps are designed to ensure only a clinician can start, stop or change an infusion through physical interaction with the pump. This means that clinician authorization at the pump is required to program and change the dosage of the medication being delivered."