A HOSPITAL drug pump manufactured by a firm that supplies equipment to the NHS can be hacked by criminals to inflict lethal doses of medicines on patients.

In a chilling demonstration, The Mail on Sunday watched a security expert hack into an infusion pump using his laptop. He was able to control the pump and administer a potentially lethal dose – and warned that hackers or terrorists could do the same to target patients and commit ‘the perfect murder’.

In a meeting at a hotel room during the Black Hat cyber-security conference in Las Vegas, cyber safety expert Billy Rios, founder of Whitescope security, hacked the Symbiq infusion pump made by Hospira.

Cyber safety expert Billy Rios, (pictured) founder of Whitescope security, hacked the Symbiq infusion pump made by Hospira

The pumps are used to give doses of drugs for chemotherapy, as well as fluids and nutrients.

Mr Rios said: ‘These devices are going to be used in the future to hurt people. I have no doubt in my mind that that’s going to happen, if it hasn’t happened already.’

Asked whether it was wise for hospitals in the UK to continue to use the affected Hospira pumps, he said: ‘It’s a huge risk.’

During his research, Mr Rios ‘reverse-engineered’ the software – taking it apart and putting it back together – and found a ‘backdoor pass code’ which only the manufacturer is supposed to know.

He used that password, which is the same for all Hospira Symbiq infusion pumps, to hack into the device and send it commands.

He found similar vulnerabilities on five other Hospira infusion pumps, including the Plum A+ model, of which there are 254 in use in the UK. Although he has not carried out a hack on this machine, he said his research showed it would be vulnerable to attack.

(Pictured) A patient receiving an infusion. American firm ICU Medical, which owns Hospira, said: ‘The only impacted product used in the UK is the Plum A+

American firm ICU Medical, which owns Hospira, said: ‘The only impacted product used in the UK is the Plum A+. We have been working to convert all Plum A+ customers in the UK to the next-generation device.’

ICU said 254 Plum A+ pumps were still in use in the UK. The spokesman could not say whether the Plum A+ was being used in NHS hospitals but according to the NHS’s supply chain website, Hospira supplies equipment including intravenous tubing for this model, suggesting it is still being used.

An NHS spokesman said: ‘The infusion pumps investigated by The Mail on Sunday have not been licensed in the UK since 2013.

‘We have not had any reports of this sort of medical device being hacked or accessed unlawfully.’