Hospira LifeCare PCA Infusion System Vulnerabilities

Act NowICS-CERT ICSA-15-125-01Feb 5, 2015

Summary

The Hospira LifeCare PCA Infusion System contains authentication bypass vulnerabilities (CWE-285) that allow unauthenticated network access to device controls. An attacker with network connectivity to the infusion pump could circumvent security checks and modify infusion parameters, including drug delivery rates, dosages, and alarm settings. The vulnerability affects all versions up to and including version 5.0. No patch is available from the vendor. The LifeCare PCA is a networked infusion pump used for patient-controlled analgesia and continuous medication delivery in clinical settings.

What this means

What could happen

An attacker with network access could bypass authentication controls on the infusion pump, potentially allowing unauthorized modification of drug delivery parameters, dosing rates, or alarm settings. This could result in incorrect medication administration, overdose, underdose, or alarm suppression that delays detection of pump malfunctions.

Who's at risk

Hospital clinical engineering, pharmacy, and nursing staff responsible for infusion pump deployment and monitoring. This affects any institution using Hospira LifeCare PCA (Patient-Controlled Analgesia) systems for pain management—typically in surgical recovery, oncology, and acute care units. Patient safety is at direct risk.

How it could be exploited

An attacker on the hospital network could send commands directly to the LifeCare PCA system without providing valid credentials, exploiting missing or weak authentication checks. The attacker could then alter infusion parameters or disable safety features through the device's network interface.

Prerequisites

Network access to the LifeCare PCA Infusion System
Knowledge of the device's command protocol or web interface
The device must be accessible from the attacker's network segment

remotely exploitableno authentication requiredno patch availableaffects safety systemsmedical device

Exploitability

Likely to be exploited — EPSS score 17.7%

Affected products (1)

ProductAffected VersionsFix Status

LifeCare PCA Infusion System: <=5.0≤ 5.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation to isolate the LifeCare PCA Infusion System on a separate VLAN or subnet with restricted access from general hospital networks

WORKAROUNDDeploy firewall rules to limit network access to the infusion pump to only authorized clinical workstations and nursing stations

WORKAROUNDDisable remote network access to the pump if not clinically required; use physical/local controls only where possible

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement endpoint monitoring and logging on devices that communicate with the LifeCare PCA system to detect unauthorized access attempts

HARDENINGEstablish procedures to verify pump programming and settings at the bedside before each patient infusion session

CVEs (1)

CVE-2015-3459

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f6263541-1d9e-4948-a40e-d63a42f98516

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.