Hospira LifeCare PCA Infusion System Vulnerabilities

Act NowICS-CERT ICSA-15-125-01BFeb 5, 2015

Summary

Hospira LifeCare PCA Infusion System versions 5.0 and earlier contain multiple security vulnerabilities including weak authentication, hardcoded credentials, missing encryption, and buffer overflows. The system is used to deliver medication via programmable infusion pumps and is deployed in hospital settings.

What this means

What could happen

An attacker with network access could modify drug dosage setpoints, stop infusions, or alter medication delivery parameters, directly threatening patient safety. These systems are life-critical and any unauthorized command could cause patient harm.

Who's at risk

Hospital pharmacy and nursing staff who administer medication via Hospira LifeCare PCA infusion pumps. This affects critical medication delivery in acute care, post-operative pain management, and cancer treatment settings. Any hospital relying on LifeCare PCA systems for patient care is at risk.

How it could be exploited

An attacker on the hospital network could connect to the LifeCare PCA system using weak or default credentials, then exploit authentication or encryption weaknesses to send unauthorized commands that alter infusion parameters or interrupt drug delivery. The vulnerabilities span weak credential handling (hardcoded passwords), lack of encryption for data in transit, and memory issues that could allow code execution.

Prerequisites

Network access to the LifeCare PCA system on the hospital network
Knowledge of default or weak credentials used by the system
No authentication bypass required due to weak authentication mechanisms
Access to standard network tools to communicate with the infusion pump controller

No authentication required due to weak credential handlingHardcoded credentials presentNo encryption of data in transitLife-critical medical device affecting patient safetyNo patch available for affected versionsBuffer overflow vulnerabilities enabling potential code executionHigh EPSS score (17.7%)

Exploitability

High exploit probability (EPSS 17.7%)

Affected products (1)

ProductAffected VersionsFix Status

LifeCare PCA Infusion System: <=5.0≤ 5.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGImplement network segmentation to isolate LifeCare PCA systems on a dedicated, restricted VLAN with strict access controls; allow only authorized clinical workstations and pharmacy systems to communicate with infusion pumps

HARDENINGDeploy network monitoring and intrusion detection on the medical device network to detect unauthorized access attempts or anomalous commands to infusion pumps

WORKAROUNDEnforce strong authentication policies: change all default credentials, disable any hardcoded accounts, and require strong passwords for clinical workstation access to the system

WORKAROUNDIf available, enable encryption for all communication between clinical workstations and infusion pump controllers

Long-term hardening

0/1

HOTFIXWork with Hospira and your hospital IT/biomedical team to evaluate firmware updates or replacement systems, as no patch is available for version 5.0 and earlier

CVEs (7)

CVE-2014-5406 CVE-2015-1011 CVE-2015-1012 CVE-2015-3459 CVE-2015-3955 CVE-2015-3957 CVE-2015-3958

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e7846f7-e24e-43c4-b69c-58040a5e1d73