In 2015, death is just a mouse click away. The Food and Drug Administration sent a safety warning to hospitals nationwide on July 31, alerting staff that computerized infusion pumps made by medical device giant Hospira are vulnerable to hackers. Unlike the headline-making data breaches we're accustomed to reading about, what patients stand to lose this time around isn't their privacy, but their lives.
The pumps' vulnerability was discovered in 2014 by security researcher Billy Rios, who works out of his garage in Half Moon Bay. Hospira pumps, which deliver medicine to patients in hospitals and nursing homes across the country, have a wireless component that allows hackers to remotely access and control them.
"With this vulnerability you could kill someone 100 miles away, 1,000 miles away," Rios told SF Weekly. "We're dumping the entire vial into the IV," he said, spelling out the worst case scenario. He added that the attack could be done from anywhere: "We could do it from a Starbucks."
Rios contacted the FDA and Hospira more than a year before he went public with his findings. Despite this, updated software still isn't available to hospitals, and the hackable pumps are still in use around the country.
When reached for comment, Hospira provided SF Weekly with a prepared statement saying that the company has worked with health care providers to mitigate risk, and that the Symbiq Infusion System is set to be retired at the end of 2015. However, that system is only one of the five lines of Hospira products that Rios identified as vulnerable.
SF Weekly reached out to Kaiser Permanente, San Francisco General, UCSF, St. Mary's, and Saint Francis Memorial hospitals with questions about protocol for digital security, but none of the facilities gave an on-the-record response.
This doesn't surprise Rios. "Hospitals know devices are vulnerable," Rios said. "The folks at Kaiser, they're not willing to go on the record." This despite the fact that "the [Kaiser Permanente digital] security team is one of the best," according to Rios.
A spokesperson for Kaiser Permanente assured SF Weekly that the facility doesn't use vulnerable Hospira-brand pumps. However, as Rios said, this problem isn't limited to Hospira.
"Pretty much any major [medical device] manufacturer you can think of," is implicated, he said. He argues that medical device manufacturers and hospitals are failing patients by not moving quickly to address digital vulnerabilities.
"At the end of the day, it's all about giving [the patient] care," Rios said. "If you want a data point as to whether or not you should do a recall, what you're saying is you're waiting for someone to die."
Comments are closed.
