On July 31 the FDA issued a safety alert encouraging health care facilities to stop using Hospira Symbiq pumps due to cybersecurity concerns. This is not the first alert concerning hospital equipment cybersecurity and certainly will not be the last. If a hospital must temporarily continue using Symbiq pumps until replacements are in place, the following temporary measures should be taken (FDA, 2015):
Disconnect the affected product from the network. Caution: Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.
Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.
A security researcher investigating Hospira devices noted multiple vulnerabilities, including vulnerabilities in PCA LifeCare pumps; its PCA3 LifeCare and PCA5 LifeCare pumps; its Symbiq line of pumps, which Hospira stopped selling in 2013; and its Plum A+ model of pumps (Zetter, 2015).
Additionally, Hospira had vulnerabilities in earlier versions of its MedNet server software (5.8 and earlier). The US Department of Homeland Security assigned a vulnerability score of 10.0, the highest vulnerability severity score possible. These vulnerabilities included (ICS-CERT, 2015):
Hard-coded cryptographic key: The MedNet software uses hard-coded cryptographic keys that could enable an attacker to intercept encrypted traffic from infusion pumps.
Hard-coded password: The MedNet software contains plaintext storage of passwords for the SQL database that may allow an attacker to compromise the MedNet SQL server and gain administrative access to the workstation.
Password in configuration file: The MedNet software stores clear text usernames and passwords on the local file system that were used during the installation process that may allow a malicious user to compromise the MedNet installation.
Improper control of generation of code: The MedNet software uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system.
All hospitals using Hospira MedNet software should update to version 6.1 or later, which no longer uses hard-coded passwords, hard-coded cryptographic keys and no longer stores passwords in clear text.
Recommendations for all hospitals, regardless of equipment used
While this report focuses on Hospira equipment, other devices are also vulnerable, and the scope of the vulnerabilities is unknown. Hackers have already exploited various vulnerabilities. Attackers use the vulnerable system to install malicious software in the hospital’s information system then steal data or establish a botnet. Devices successfully attacked have included: blood gas analyzers, PACS systems and X-ray systems (Storm, 2015). Homeland Security encourages hospitals to take the following general measures against cybersecurity risks to all their equipment (ICS-CERT, 2015):
Maintain layered physical and logical security to implement defense-in-depth security practices for environments operating medical devices.
Minimize network exposure for all medical devices and/or systems, and ensure that they are not accessible from the Internet.
Produce an MD5 checksum of key files to identify any changes to files.
Follow good network design practices that include network separation and segmentation; use DMZs with properly configured firewalls to selectively control traffic; and monitor traffic passed between zones and systems to identify anomalous activity.
Locate all medical devices and/or systems behind firewalls, and isolate them from the business network. Use the static nature of these isolated environments to look for anomalous activities.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.