Researcher warns drug pumps could be hacked to give fatal dose

A researcher says a line of IV drug pumps can be remotely hacked to deliver an incorrect, and possibly fatal, dosage of drugs to patients.

Security researcher Billy Rios told Wired that a range of pumps from manufacturer Hospira, including one line that the company stopped selling in 2013, include a flaw that allows someone to alter the device’s software to change the dosage.

ADVERTISEMENT
Hospira is able to update the pumps’ firmware, but Rios says the devices aren’t able to recognize the difference between an update from the manufacturer or from another party. He also said a hacker could make it look as though the pump was still delivering the correct dosage of the drug.

Rios has a history investigating the pumps. Earlier this year, he said he had found a related flaw that allowed someone to change the upper limits of a drug’s allowed dosage. In other words, if someone administered the drug at a higher dosage than should be allowed, the software could be modified so nobody was alerted to the problem.

He also says he told Hospira about the flaw in one of the lines of pumps allowing hackers to deliver an incorrect dosage a year ago, but the company said it was not a problem. He then tested other pumps produced by the company. The Food and Drug Administration released an alert last month about vulnerabilities in the line of pumps that Rios says he warned the company about last year.

Hospira did not immediately reply to a request for comment.

Last year, Reuters reported that the Department of Homeland Security was investigating security vulnerabilities in medical devices. As the cyber threats become more prominent, hospitals are also said to be paying more attention to the security of networked devices that could be vulnerable to attacks.