A popular medical device meant to protect patients from receiving the wrong dose of drugs has the dangerous potential to be hacked to access and alter dosages, NBC 5 Investigates has learned.
Security researchers are calling this a dangerous security flaw.
Former marine captain and security researcher Billy Rios spent the last dozen years in cyber security with the U.S. Department of Defense, Google and Microsoft.
“These are very serious issues,” Rios said, who lives in California’s Bay Area. “Last year I actually found myself in the hospital. I had what’s called a brain leak which is basically brain fluid leaking out of my nose.”
When rushed to the hospital for emergency surgery he came face-to-face with the very machines he had been testing.
“The person that was next to me was hooked up to an infusion pump I had done research on,” he said.
Research showed alarming security flaws in a computerized drug-infusion pump called Symbiq and made by the Lake Forest-based medical device company Hospira.
The popular drug infusion pump is one of five Hospira infusion pumps which Rios claims are vulnerable. Other potentially affected pumps include the company’s PCA, PCA3, PCA5, and PlumA+ product lines.
The computerized pumps are in hospitals nationwide and deliver anything from anesthesia to powerful narcotics.
The pumps are programmed through a hospital’s wireless network, meaning anyone on the hospital’s network from a patient to a malicious hacker could potentially access and alter the dosage.
“What we are talking about is being able to remotely take over an IV pump,” Rios said.
“Most patients are continuously receiving intravenous fluids or medications through an IV,” said Dr. Bradley Knight, Director Heart Rhythm Program Northwestern.
And those IV’s are typically hooked up to infusion pumps.
“Almost anybody in a hospital could be harmed if you change the rate of infusion or you change the maximum amount a person could administer of a narcotic for example with the pump,” said Knight.
Northwestern Memorial Hospital tells NBC 5 Investigates they don’t use Hospira brand infusion pumps. But other hospitals have already been alerted by the FDA and Homeland Security’s Cyber emergency Response Team to the vulnerabilities in two Hospira Infusion pumps – the LifeCare PCA3 and PCA5 Infusion Pump Systems.
As for the Symbiq pump, Hospira tells NBC 5 Investigates the pump is being “removed from the market.”
Hospira also tells us it is working with the FDA and DHS on “vulnerabilities in our infusion pumps.”
The company released this new infusion system with they say “cybersecurity protections in place.”
As for the vulnerable pumps still being used in hospitals, Hospira provided a lengthy list of “how to address the vulnerabilities.” These fixes range from firewalls to disconnecting the devices from the internet.
There are no known instances of cybersecurity breaches of these devices in clinical settings, but that provides little comfort to Rios.
“People that are connected to these devices are in a vulnerable state as it is,” Rios said. “They shouldn’t have to worry about the cyber security of the devices that are connected to them.”