Serious research proved that hackers can hack into drug pumps in thousands of hospitals around the world and remotely change the dosage, medication or even kill you. Security expert Billy Rios conducted this research and found out that hackers are able to remotely change the settings of an intravenous pump to forget to warn the physician if they made a mistake setting the dosage. He said that anyone could do this since these pumps are basically computers and a part of a network.
Even though manufacturer refused that such problem could exist, Rios proved it by opening one pump and saw that communications module and circuit board were connected by a serial cable which allows the core software to be changed.
Elementary knowledge in electronics and access to the hospital network makes anyone that is logged on to the hospital internet a serious threat.
The configuration of the pump can be changed remotely through a wireless interface. So someone can change a drug that is being used or set the pump to do other things. Since the database with drug information and dosages does not seek any form of authentication, a hacker can easily substitute it with their own.
The only thing that caused the manufacturer Hospira to take his claims into consideration was his discovery that the dosage could be changed remotely.
About five models can be misused in such manner and those are: the standard PCA LifeCare pumps, the PCA3 and PCA5 models, the Symbiq series (which went offline in 2013 owing to safety issues) and the Plum A+ – which is used in over 325,000 hospitals around the world.
Rios suspect that Plum A incarnation and two models in the Sapphire range can be misused by hackers, too.
Up to this day, the manufacturer Hospira refuses to comment even though the Food and Drug Administration issued warnings and recommendations to fix that bug and the possibility of remote access. Hospira refused to verify whether other pumps from their manufacturing line were also affected. However, the company released a statement saying that it has been operating with the FDA and the Department of Homeland Security (DHS) to address the vulnerabilities.