The FDA recently issued an alert warning of cyber security vulnerabilities in Hospira’s Symbiq Infusion Pump and advising health care facilities “transition to alternative infusion systems and discontinue use of these pumps.”
Hospira and independent researcher Billy Rios determined that the Sympiq Infusion System can be accessed remotely through a hospital’s network, enabling an attacker to control the device and change the dosage being delivered, “which could lead to over- or under-infusion of critical patient therapies,” according to the alert.
In an earlier blog post, Rios stated that several other Hospira infusion pumps are also affected by similar issues, including the LifeCare PCA, LifeCare PCA 3, LifeCare PCA 5, and Plum A+ Infusion Pumps.
A separate FDA alert was published on May 13, 2015, warning of security flaws in the LifeCare PCA 3 and PCA 5 Infusion Pump Systems, after Hextech Security’s Jeremy Richards published a detailed report on the vulnerabilities in the PCA 3.
The Symbiq vulnerability was first disclosed by US-CERT on June 23, 2015. “With remote access and elevated privileges, the Symbiq Infusion System can be remotely directed to perform unanticipated operations,” the US-CERT advisory noted.
While the FDA and Hospira said they aren’t aware of any unauthorized access or adverse avents, the FDA is strongly encouraging health care facilities to switch to alternative systems “as soon as possible.”
And while Hospira has stopped manufacturing the Symbiq Infusion System, the FDA notes that it may still be available through third party vendors. “The FDA strongly discourages the purchase of the Symbiq Infusion System from these parties,” the alert states.
ForgeRock co-founder Victor Ake told eSecurity Planet by email that the Hospira vulnerabilities serve as an excellent example of the importance of identity and access management (IAM) as part of security. “If in a situation like this we add contextual authentication and authorization, then hacking these systems becomes more difficult,” he said.
“It would also be helpful to be able to define what resources are valid, and under what conditions,” Ake added. “For example, even when there can be many library services available in a hospital, only some of them can service a pump, depending on the conditions, like types of libraries depending on the model, the prescription, and the human user that has the pump connected.”
The point, Ake said, is that IAM isn’t just relevant for human users — devices have identities as well. “They need to authenticate in every relationship they keep and relationships need to be validated,” he said. “First we need to be sure that the parties in the system are authentic, i.e. not cloned hardware, and then we need a mutual authentication process. The pump in this case is talking to a service endpoint without verifying the authenticity and without doing a mutual authentication.”
A recent eSecurity Planet article examined best practices for identity and access management.