More Hospira Pumps Susceptible to Cyberattack, DHS Warns

June 12, 2015

The Department of Homeland Security issued an alert that more Hospira infusion systems may be susceptible to cyberattacks that could lead to over- or under-infusion of medications.

The latest memo from Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, released Wednesday, warns that a hacker with low skills could access the systems remotely and change the medication dosage.

The warning affects Hospira’s Plum A+, Plum A+3 and Symbiq infusion systems.

ICS-CERT says the devicemaker is communicating with customers on steps to mitigate the vulnerability and is releasing its Plum 360 infusion system, which is not vulnerable to the same cyberattacks.

Homeland Security is recommending that healthcare providers change a default password on the systems, monitor and log all network traffic attempting to access the systems, maintain layered security and isolate all medical devices from the internet and untrusted systems.

An independent researcher, Billy Rios, first identified the vulnerabilities in the LifeCare system in May 2014, according to the ICS-CERT advisory.

In May, ICS-CERT and the FDA issued warnings for Hospira’s LifeCare PCA Infusion System.

At the time, Hospira said it had developed a new version that will not be susceptible to hackers and that the FDA is reviewing its 510(k) submission.

To read the ICS-CERT advisory, go to www.fdanews.com/06-15-Hospira.pdf. — John Bechtel