Hospitals, Health IT, Devices & Diagnostics

Hospira: BlackBerry infusion pump ‘hack’ was a sham

We figured it would not be long until Hospira defended the security of its LifeCare PCA infusion pump.

Remember that video we shared a few days ago of BlackBerry security experts showing how easy it was to hack a smart infusion pump? Two things about that: We were right that it was a LifeCare PCA pump from Hospira; and we figured it would not be long until Hospira defended its product.

Hospira, a Lake Forest, Ill.-based company that makes infusion systems and injectable drugs, sent MedCity News a statement that addresses the specific video and our story.

In the video, filmed during a live demonstration on stage at the recent BlackBerry Security Summit 2015 in New York, BlackBerry’s Graham Murphy physically connected a laptop to the pump’s Ethernet port, then took control of the medical device.

He then did the same via Wi-Fi. In both cases, he relied on the fact that the FCC ID on the pump helped Murphy identify the specific, fixed IP address associated with the product. But Hospira said BlackBerry also did something the audience did not see.

“Part of our investigation into the LifeCare PCA infusion pump demonstration included a conversation with one of the ‘hackers’ who admitted that they manipulated the firmware on the device by having physical access to it prior to their demonstration of the hack. This was not a remote or wireless ‘hack’ as the video implied and physical access to the device would be required to alter the settings as shown in the video,” the Hospira statement said.

As for the modifications Murphy made to the pump’s firmware while he was on camera, Hospira noted that hospitals likely would have better security than Murphy was dealing with.

“For a hacker to successfully attack an infusion pump, they would likely need to remove the device from the clinical environment, modify the pump and return the device to a clinical setting,” the statement said.

“These demonstrated hacks were done in non-clinical environments without the security protections and protocols typical of real patient care settings. For patient use, these devices are connected to hospital networks and any attempts to remotely attack an infusion device would require penetration of several layers of network security enforce by the hospital, including firewalls. These measures serve as the primary defense against tampering with a medical device.”

At least let’s hope every hospital that uses one of these pumps has better security. If not, you probably should avoid treatment there just to be safe, and the CIO should be fired. Just sayin’.

Shares0
Shares0