Flaw in drug pump’s security feature helps hackers to raise dose limits
When Billy Rios had to undergo emergency surgery last summer after cerebral spinal fluid started leaking through his nose, he was only partially focused on his life-threatening condition. The reason being Rios was distracted by the computerized drug-infusion pumps that Stanford Medical Center used to administer medication to him and other patients. Rios, a security researcher realized that he had purchased the same models of pumps months earlier on eBay in order to verify them for security flaws. All he could think while being injected with the pump dose with medicines was about the holes he had found in one of the brands that exposed it to hacking.
The brand in question was the popular LifeCare PCA drug infusion pump sold by Hospira—an Illinois firm with more than 55,000 of the intravenous drug pumps in hospitals around the world. The pumps are proclaimed to have extra safety measures that minimizes medication errors and makes it less harmful for the patient and prevent deaths.
However, Rios found that the Hospira systems don’t use certification for their internal drug libraries. This helps to set upper and lower boundaries for the dosages of various intravenous drugs that a pump can safely administer. As a result, anyone on the hospital’s network—be it a patient in the hospital or a hacker can access the pumps over the internet—can load a new drug library to the pumps and modify the limits, thereby possibly allowing the administering of a deadly dosage. Rios did not find that a hacker could modify an actual drug dosage, but they could rather alter the allowable upper limit for a given drug. This means that someone could accidentally (or otherwise) set the pump to give too high or too low a dose. According to Rios, additional research could reveal other vulnerabilities. Researchers who examined different drug infusion pumps last year, found that those pumps had a web network that allows attackers to enter and change dosages.
Dr. Robert Wachter, associate chair of UC San Francisco’s Department of Medicine, says the issue is less worrisome than the flaws Rios found that allows someone to change the drug dosages. As the dosage boundaries in drug libraries are designed to prevent deaths and overdoses that happen more often than the patients think, increasing the limit in a pump’s library means a hospital could fail to catch a dosage error and cause serious harm to patients.
“The risk from changing the bumpers—the high and low permissible doses—doesn’t seem to be very high,” Wachter says. “It’s probably not going to kill someone today. But in a big institution giving 100,000 medications over the course of a month, screwing around with those bumpers is going to cause harm at some point. That worries me. Anything like this at some point will kill someone.”
Wachter should be aware; his recently published book, Digital Doctor, concentrates on the ways digital medical systems can go wrong. One excerpt published last week by Medium described an overdose scenario in which a nurse accidentally administered pills to a teenager that were 38 times his proper dosage, triggering a grand mal seizure.
The Hospira Pumps
The Hospira LifeCare pumps have been around in the market since 2002 and, according to the company’s website, are “designed specifically to help prevent medication errors that commonly arise” by offering features that “enhance safe delivery” of drugs. One way it does this is to merge drug libraries into its pumps. Such libraries are available for every medication to set parameters for their safe use. Drug limits, for example, differ for infants, children and adults. For infants and children, dosages are often based on weight, and in adults can vary depending on gender. The libraries setting these limits are loaded to the pumps, so that if a medical practitioner tries to administer a dosage that goes beyond the safe limit, the pump will create an alert.
The Hospira pumps also use barcodes to refer the correct drug library. A medical practitioner first scans the barcode on the intravenous drug package, then a serial number in the barcode notifies the pump which drug library to refer to, in order to ensure that the dosage entered into the machine by the practitioner doesn’t go beyond the acceptable limit coded into that drug’s library. If a nurse enters the incorrect dosage, the pump is supposed to send an alert.
“This novel technology decreased the dangers of inadvertent human error and significantly reduced the risks associated with under-/over-medication dosing, due to wrong concentration,” the company cited in a press release.
MedNet “safety software,” a Windows-based operating system designed by Hospira communicate with the pumps that gets installed on a hospital server to send drug library updates to the pumps. The updates are processed by a communication module built into each pump. The pumps work in listening mode so that new drug libraries and updates to existing ones can be pushed out to them as needed. To achieve this, the pumps listen through four ports—port 23 (for telnet communication), port 80 (for normal http traffic), port 443 (for https traffic) and port 5000 (for UPnP). The pumps also can use their own WiFi connection for communication.
Rios found out various security issues with the MedNet software itself that hospitals use to communicate with the Hospira pumps. MedNet servers not only oversees the pumps in a hospital and send them drug libraries and updates, they are also utilized to make configuration changes to the pumps and issue firmware updates and patches. Rios found four critical vulnerabilities in this management software that would allow hackers to install malware on them and use them to distribute illegal drug libraries to pumps or modify their configurations.
Among the vulnerabilities are a plaintext password that Hospira hardcoded into its software, which an unskilled attacker could use to exploit a SQL database in the system and take over administrative control of the MedNet server. Additionally, the system has hardcoded cryptographic keys that can be captured by an attacker and used to decrypt communication between the server and the pumps. The system also stores usernames and passwords in plaintext. All of the above, along with another vulnerability Rios found in the MedNet system would allow an attacker to run malicious code on the server and take control of it to distribute rogue drug libraries to the pumps or modify their configurations.
However, it was figured out that an attacker actually doesn’t have to take control of the server to send a rogue library to a pump. The reason being that the pumps themselves don’t verify whether the system sending them updates is the MedNet system. Any system on the hospital’s network can take control of these pumps to install a new library or anyone can communicate to them over the internet through one of their internet-facing ports, and do the same.
Resource : Wired.