Hospira, a medical device manufacturer with a history of Food and Drug Administration warnings about the security of its drug pumps, has refused to issue a software update containing a security patch for its LifeCare PCA5 Infusion Pump System to security researcher Jeremy Richards.
Richards previously found security holes in Hospira's drug pumps, which are designed for the continuous delivery of medication, that could enable a remote attacker to take control of a device and administer a lethal dose. He once described the drug pump as "the least secure IP enabled device I’ve ever touched in my life."
Based on his research, the FDA issued a safety alert for Hospira's LifeCare PCA3 and PCA5 Infusion Pump Systems back in May. In July, the FDA also warned hospitals to stop using the Hospira Symbiq Infusion System. Both drug pump systems are intended to enhance patient safety by automating drug delivery.
The security patch Richards requested was not related to the May safety alert, but instead fixed a vulnerability Hospira had already inadvertently addressed in 2009 when it removed the affected service.
Richards purchased the PCA5, which runs the unpatched pre-2009 software, for less than $100 on eBay earlier this year for research purposes. On September 23, he alerted ICS-CERT [the US government agency that issues cybersecurity advisories] of the vulnerability. ICS-CERT contacted Hospira on Richards's behalf. On October 8, Richards says, he requested a security patch.
Frustrated by the slowness of getting a response, on October 13 Richards called Hospira’s technical support line and asked if he could buy the security patch. According to Richards, Hospira quoted him a price of at least $175, “depending on what we need to do with the pump,” and promised him a call back—which, he says, he never received.
On November 13, Hospira responded via ICS-CERT rejecting his request for a security patch, saying that because the drug pumps are prescription devices, Hospira will only provide software updates to health care organizations or to security consulting firms that have agreed to the company’s terms and conditions—but not to Richards as an individual, according to the email he provided Motherboard.
"The duty of the vendor and their brand is to ensure that everyone gets the latest and greatest measures to ensure their safety."
“For these reasons, we are declining the request to update the pumps that the researcher purchased on eBay,” the company wrote.
Richards believes Hospira's decision is based on a desire to avoid bad publicity, not a desire to secure its devices.
"They will probably patch hospital pumps," he wrote in a Twitter DM. "And yes, it is because they don't want me finding holes in their patched stuff (in my opinion)."
Joshua Corman, founder of I Am The Cavalry, a global grassroots organization focused on issues where computer security intersects public safety and human life, told Motherboard in a phone call that Hospira’s position was understandable but shortsighted.
"There's a common misperception that your internal security team and contracted third parties are sufficient to finding and remediating all known security issues,” Corman said.
"The understandable position Hospira seems to be taking with this researcher...only enables adversaries to continue to have the advantage,” he added. “Researchers are not their adversaries; adversaries are their adversaries. These Ts & Cs won't stop their true adversaries from getting what they want.”
Corman gave the example of Microsoft which, he said, not only employs an internal security team, and pays third-party security consultants, but also runs a bug bounty program that pays up to six figures (in US dollars) for the most severe vulnerabilities.
"And in spite of all three categories of willing allies,” Corman said, “they still need to fix one-to-several dozen security issues per month in their products, and they are considered one of the best in the world."
As Motherboard has previously reported, cybersecurity of medical devices is 15 to 25 years behind other industries. The healthcare sector is still learning how to implement well-developed cyber hygiene practices.
Device manufacturers like Hospira typically provide security patches directly to hospitals and clinics that use their products, said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures in the FDA's Center for Devices and Radiological Health.
“Outside the clinical setting, this is an evolving area and one that the FDA is continuing to work on with stakeholders, including manufacturers and independent security researchers,” she said in a statement.
Hospira defended its decision not to issue a security patch. “In the interest of patient safety, it is Hospira's practice to provide pump upgrades or enhancements only for devices purchased and maintained within the protected supply chain and to avoid devices that have been modified with after-market or unregulated features that should not be on the market,” the company said in a statement.
Yet, Corman suggested, there is precedent for after-market support to correct safety issues. He gave the example of the automotive industry, where safety recalls are good for the life of the vehicle, including used cars no longer owned by the original purchaser.
"The duty of the vendor and their brand is to ensure that everyone gets the latest and greatest measures to ensure their safety,” he said.
A coordinated disclosure policy that invites collaboration by third-party researchers would not only make Hospira’s devices more secure, but also make bad publicity far less likely, Corman said. “Most researchers will never expect reward or recognition, because the act of publicizing the vulnerability goes counter to a desire to protect the public.”
“There are way more of these vulnerabilities that are found and remediated than you ever hear about in the news,” he said. “That’s good for researchers and good for patients and good for everyone.”