Healthcare security professionals have grappled with the challenge of securing electronic protected health information (ePHI) for years, and now, they face the added challenge of ensuring that smart medical devices are secured for patient use. “Smart devices” refers to the increasing amount of medical devices equipped with a network connection for the purpose of remotely controlling the device or sending its data to the patient’s computer or doctor. The benefits of this technology are clear, but for security professionals, the risks are even more glaring: with the possibility that a patient or doctor can remotely control a medical device, there is a possibility that a malicious actor could control it, too.
Early this month, versions 5.0 and earlier of the LifeCare PCA Infusion System, an intravenous patient-controlled analgesia (PCA) pump produced by pharmaceutical and medical device company Hospira, were found to have five vulnerabilities. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the U.S. Department of Homeland Security (DHS), issued an advisory describing the risks posed by these remotely exploitable, “publicly disclosed vulnerabilities.” One of the vulnerabilities (CVE-2015-1011) allows unauthorized access to the device through the use of hardcoded passwords. It has been assigned a Common Vulnerability Scoring System (CVSS) base score of 10, the maximum level of severity.
Another one of the vulnerabilities (CVE-2015-3459) can be exploited to gain unauthorized access with root privileges on Port 23/TELNET by default. According to ICS-CERT, the flaw would allow the attacker to remotely modify “drug libraries, software updates, and pump configurations.” This vulnerability was also given a CVSS base score of 10. While the ICS-CERT advisory states that “it is not possible to remotely operate the LifeCare PCA Infusion pump,” the U.S. Food and Drug Administration (FDA) also issued an advisory warning that an unauthorized user “could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.”
Hospira has developed a new version of the LifeCare system, according to the ICS-CERT advisory, which is not yet available. The company plans to retire versions 2 and 3 of the system at the end of 2015. In the meantime, ICS-CERT’s recommendations to mitigate the risk of LifeCare include:
- Conduct a risk assessment, examining the specific clinical uses of LifeCare in your environment.
- Isolate affected LifeCare systems from untrusted systems and the Internet and specially monitor them for unusual activity.
- Ensure that unused ports on LifeCare devices are closed.
- Check MD5 sums to see if any unauthorized changes to files have been made.
All organizations looking to mitigate the risks of smart medical devices can follow ICS-CERT’s recommendation to conduct regular risk assessments on their environments. Organizations should understand what normal network activity involving these devices looks like so they can identify unusual traffic. Finally, organizations should look out for information on vulnerabilities involving the smart medical devices they work with so they can act swiftly when flaws are discovered.