Expert: Drug pumps vulnerable to dangerous online tampering

Computerized drug-infusion pumps can be hacked to make it easier to deliver a deadly dose to a patient, a security researcher found.

The discovery highlights the vulnerability of network-connected medical devices to tampering online. Experts say device manufacturers are just beginning to acknowledge and respond to the security threats.

{mosads}Billy Rios, founder of security firm Laconicly, took a hard look at the workings of computerized drug pumps after using them as part of a medical treatment.

He discovered that hackers or people within a hospital’s network could break into the pumps in a way that changes the upper and lower boundaries for dosages.

By raising the upper limit, a hacker could pave the way for someone to set the pump to deliver a dangerously high dosage, either intentionally or accidentally.

Rios found the flaw in the LifeCare PCA drug pump manufactured by Hospira and touted for its ability to defend against medical errors.

After alerting the Department of Homeland Security, officials notified Hospira and the Food and Drug Administration. DHS also issued a public alert about the flaw last week, just as Hospira attempted to patch the vulnerability in a new software update.

Rios said the patched version does not fully fix the problem, according to Wired, which covered the back-and-forth.
 
Lawmakers and regulators are beginning to take a closer look at medical devices’ vulnerability to hacking, a possibility previously associated only with spy novels and TV shows.

Dr. Robert Wachter, associate chair of UC San Francisco’s Department of Medicine, expressed concern about the problem with the drug pumps.

“The risk from changing the bumpers — the high and low permissible doses — doesn’t seem to be very high,” he told Wired.

“But in a big institution giving 100,000 medications over the course of a month, screwing around with those bumpers is going to cause harm at some point. That worries me. Anything like this at some point will kill someone.”

Researchers have found a host of security vulnerabilities in medical equipment, including pacemakers, defibrillators, X-rays and drug storage refrigerators.