Skip to Main Content
Hospital computer security vulnerabilities - Avira

Homicide No Longer Requires Proximity

Although computerized hospital pumps are widely known to be beneficial for mitigating dosage errors, news of hackable hospital pumps came to public attention a few months ago when security researcher Billy Rios discovered a pump that doesn’t use authentication for its drug library – thus enabling a hacker to load a different library into the device, which in theory could lead to a deadly dose being delivered. But new findings by Rios indicate that hackers may now themselves be able to remotely administer a deadly dose of a drug to a patient.

The Vulnerabilities

According to Rios’s findings, a hacker could alter – from within the hospital computer network or even over the Internet – the allowable upper dosage limit to give either too low or too high a dose. Doctors or nurses could then accidentally set the machine to give too high or low a dose without the machine issuing an alert.

When the story initially broke, this alteration of dosage limits was not considered to be such a severe vulnerability as if the hacker could himself set the dosage amount (remotely). However, now Rios has found a new vulnerability that would allow hackers to remotely set the dosage amount by altering the firmware to gain total device control.

Coupling the previously known ability to change the drug library data with the newly found ability to remotely set the amount of the dose, a hacker can now potentially deliver a lethal dose of medication.

Pervasiveness of the Problem

How widespread the vulnerabilities are is yet unknown, but with estimates limited to just the one manufacturer whose pumps Rios discovered these vulnerabilities in, close to half a million intravenous medicine pumps globally could be affected.

Naïvety or Denial?

When Rios initially notified the company making the pumps in question, that its pumps could have their firmware changed by hackers, the company insisted that the pumps are safe because of partitioning between the comms module and motherboard. Rios found that, while the physical partition does exist, a serial cable connects the two components “in a way that you can actually change the core software on the pump.”

As the company uses this same approach for remotely delivering firmware updates to its computerized pumps, it is unclear as to why any computerized-equipment maker would be so skeptical of their own methods being used by hackers. Regardless, while the company works on a proof-of-concept that their devices have no vulnerabilities, Rios is working on his own proof-of-concept to the contrary, which he plans to share during the 2015 SummmerCon security conference in Brooklyn.

“You can talk to that communication module over the network or over a wireless network,” Rios told Wired (read the full Wired report here).

Marketing/Branding guy, copywriter (Industrial Poet), M.Ed., editor, singer-songwriter/guitarist, reader, writer, and daddy to two amazing girls.Prior to joining Avira in summer of 2014, Mashak helped another European IT security company grow from obscurity into a globally recognized industry leader (and household name).From 2008 to 2010, he worked with an IT market research firm as report editor for the CEMA region.Before that, he was a freelance marketing consultant, a high school English teacher, the owner of a property management company, served five years on sales and client-retention teams for the world's largest perimeter security firm, and dabbled with various small business ventures of his own.