Independent researcher discovers infusion pump security flaws

Through an independent investigation on medical infusion pumps, security researcher Billy Rios found security vulnerabilities in the devices, which prompted the U.S. Food and Drug Administration to issue a warning on the tools.

Rios and fellow researchers bought the pumps online last year and found "egregious issues," which they reported to the FDA and Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, he says in an interview with HealthInfoSecurity.

Vulnerabilities in the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems could allow unauthorized users to gain access to the devices and modify the doses they deliver, according to the warning from the FDA. Rios adds that because the problems are design issues in the way software is deployed by the pump, he believes other pumps made by Hospira are impacted by the vulnerabilities as well. 

"The fact that I looked at this pump and found these particular issues ... shows that when this pump was put to market, it didn't really undergo any kind of security [review] at all," Rios says. Interview