Cybersecurity Officials: Hospira Device was Susceptible to Hacking

U.S. cybersecurity officials have issued an advisory warning users of Hospira’s LifeCare PCA Infusion System that the device may be vulnerable to a cyber-attack. 

According to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, the weaknesses relate to user authorization and verification of data authenticity, which could allow hackers to access the pump’s controls and alter the type or amount of drug dispensed.

ICS-CERT says it’s not aware of any instances where someone specifically targeted the vulnerabilities, but a “low skill” hacker would be able to take advantage of them. The alert applies to LifeCare PCA versions 5.0 and earlier.

The DHS unit spent the last year working with Hospira to patch the vulnerabilities, and updated software is being reviewed by the FDA, ICS-CERT says. A release date for the new version has not been set.

While noting that the company is addressing the vulnerabilities, Hospira spokeswoman Tareta Adams says hackers would have to penetrate several layers of network security enforced by hospital information systems, including secure firewalls. “Network security serves as the first and strongest line of defense against tampering, while software provides an additional layer of security,” she says.

To read the ICS-CERT advisory, go to www.fdanews.com/05-07-15-ICSCERT.pdf. — Kellen Owings

Learn industry best practices to assure your device’s software safety at the Software and Cybersecurity Risk Management for Medical Devices Workshop, May 11-12, in Rockville, Md. Fubin Wu, co-founder of GessNet, will bring you up to speed on the FDA’s latest research on medical device software best practices, software risk management-related standards and guidance and key factors in effective software risk management. Register today.