Truly chilling – hackers can hijack drug pumps to kill hospital patients
A HOSPITAL drug pump manufactured by a firm that supplies equipment to the NHS can be hacked to inflict lethal doses of medicines on patients.
In a chilling demonstration, The Mail on Sunday watched a security expert use his laptop to hack into an infusion pump.
He was able to control the pump and administer a potentially lethal dose, and warned that terrorists could do the same to target patients and commit ‘the perfect murder’.
In a meeting during the Black Hat cyber-security conference in Las Vegas, Billy Rios, founder of Whitescope Security, hacked the Symbiq infusion pump made by Hospira. The pumps give doses of drugs for chemotherapy, as well as fluids and nutrients.
Mr Rios said: ‘These devices are going to be used to hurt people. That’s going to happen, if it hasn’t happened already.’
Asked if it was wise for UK hospi- tals to continue to use Hospira pumps, he said: ‘It’s a huge risk.’
Mr Rios ‘reverse-engineered’ the software and found a ‘backdoor pass code’ which only the manufacturer is supposed to know.
He used that password to gain access and found similar vulnerabilities on five other Hospira pumps, including the Plum A+ model, of which there are 254 in use in the UK. Although he has not carried out a hack on this machine, he said his research showed it would be vulnerable to attack.
US firm ICU Medical, which owns Hospira, said: ‘The only impacted product used in the UK is the Plum A+. We have been working to convert all Plum A+ customers in the UK to the next-generation device.’
An NHS spokesman said: ‘The infusion pumps investigated have not been licensed in the UK since 2013. We have not had any reports of this sort of medical device being hacked or accessed unlawfully.’