Not that anyone needed another reason to fear hospitals, but here’s a good one: Security researcher Billy Rios has discovered vulnerabilities in popular hospital drug pumps that allow hackers to remotely change drug dosages.


Rios found a way to remotely change drug pump firmware that would give hackers control over the devices by accessing the hospital’s communications module to send a fake firmware update to a pump. Hackers could exceed the maximum dosage allowance without setting off the pump’s alert function, making it easy to fatally jack up drug doses without raising suspicion.

At least five models from drug pump manufacturer Hospira are in danger of getting hijacked, according to Wired. This includes its Plum A+ model, which has been installed at least 325,000 times in hospitals around the world. Rios told Wired that the same process used by Hospira to deliver real firmware updates leaves the company’s pumps open to attack.

An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns.


This isn’t the first time Rios has discovered security gaps in hospital devices. The former Marine platoon commander’s research into faulty pump security helped jumpstart a US probe into Hospira’s equipment in 2014, including its PCA 3 pump. The results weren’t exactly heartening. “Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3,” Rios wrote in a blog post today.

Last month, the US Food and Drug Administration issued a warning about two of Hospira’s pumps based on Rios’ research. The warning didn’t include the Plum A+ pump, and Hospira hasn’t acknowledged a problem with that model. Rios doesn’t buy for a second that Hospira didn’t know how widespread the problem was. “I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines,” he wrote.

The closest thing to this kind of medical cyberattack is still that cheesy plotline from Homeland where the vice president’s pacemaker was remotely hacked. But Rios’ research proves that murder-by-medical-device was actually one of the more realistic Homeland twists.

[Wired | Billy Rios]

Contact the author at kate.knibbs@gizmodo.com .

Public PGP key

PGP fingerprint: FF8F 0D7A AB19 6D71 C967 9576 8C12 9478 EE07 10C


Image: Creative Commons