OTPulse
FeedAboutContact

Hospira LifeCare PCA Infusion System Vulnerabilities

Act NowICS-CERT ICSA-15-125-01Feb 5, 2015
Summary

The Hospira LifeCare PCA Infusion System contains authentication bypass vulnerabilities (CWE-285) that allow unauthenticated network access to device controls. An attacker with network connectivity to the infusion pump could circumvent security checks and modify infusion parameters, including drug delivery rates, dosages, and alarm settings. The vulnerability affects all versions up to and including version 5.0. No patch is available from the vendor. The LifeCare PCA is a networked infusion pump used for patient-controlled analgesia and continuous medication delivery in clinical settings.

What this means
What could happen
An attacker with network access could bypass authentication controls on the infusion pump, potentially allowing unauthorized modification of drug delivery parameters, dosing rates, or alarm settings. This could result in incorrect medication administration, overdose, underdose, or alarm suppression that delays detection of pump malfunctions.
Who's at risk
Hospital clinical engineering, pharmacy, and nursing staff responsible for infusion pump deployment and monitoring. This affects any institution using Hospira LifeCare PCA (Patient-Controlled Analgesia) systems for pain management—typically in surgical recovery, oncology, and acute care units. Patient safety is at direct risk.
How it could be exploited
An attacker on the hospital network could send commands directly to the LifeCare PCA system without providing valid credentials, exploiting missing or weak authentication checks. The attacker could then alter infusion parameters or disable safety features through the device's network interface.
Prerequisites
  • Network access to the LifeCare PCA Infusion System
  • Knowledge of the device's command protocol or web interface
  • The device must be accessible from the attacker's network segment
remotely exploitableno authentication requiredno patch availableaffects safety systemsmedical device
Exploitability
High exploit probability (EPSS 17.7%)
Affected products (1)
ProductAffected VersionsFix Status
LifeCare PCA Infusion System: <=5.0≤ 5.0No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGImplement network segmentation to isolate the LifeCare PCA Infusion System on a separate VLAN or subnet with restricted access from general hospital networks
WORKAROUNDDeploy firewall rules to limit network access to the infusion pump to only authorized clinical workstations and nursing stations
WORKAROUNDDisable remote network access to the pump if not clinically required; use physical/local controls only where possible
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement endpoint monitoring and logging on devices that communicate with the LifeCare PCA system to detect unauthorized access attempts
HARDENINGEstablish procedures to verify pump programming and settings at the bedside before each patient infusion session
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f6263541-1d9e-4948-a40e-d63a42f98516
Hospira LifeCare PCA Infusion System Vulnerabilities - OTPulse