Hospira LifeCare PCA Infusion System Vulnerabilities
Low RiskICS-CERT ICSA-15-132-01Feb 12, 2015
Summary
The Hospira LifeCare PCA Infusion System versions 5.0 and earlier contain a vulnerability in which sensitive patient medication data is transmitted in cleartext (unencrypted) across the network (CWE-312). This allows an attacker with network access to intercept confidential patient information and potentially modify infusion parameters without authentication. The vendor has not released a patch for this product.
What this means
What could happen
An attacker with network access to the infusion pump could intercept unencrypted patient medication data or manipulate infusion parameters, potentially causing incorrect drug dosing or delivery interruption to patients under care.
Who's at risk
This affects hospitals and healthcare facilities using Hospira LifeCare PCA (patient-controlled analgesia) infusion pumps for pain management and medication delivery. Clinical engineering, nursing, and pharmacy departments depend on these devices for safe patient care delivery.
How it could be exploited
An attacker on the same network as the LifeCare PCA system could intercept unencrypted communications between the pump and associated devices (CWE-312: cleartext transmission of sensitive data). By capturing or modifying network traffic, they could read patient medication information or alter infusion setpoints without authentication.
Prerequisites
- Network access to the LifeCare PCA Infusion System and its communications (same subnet or routed path)
- No authentication or credentials required to intercept or modify traffic
no patch availableaffects safety-critical medical devicecleartext transmission of sensitive datalow complexity attack
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
LifeCare PCA Infusion System: <=5.0≤ 5.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict physical and network access to the infusion pump to authorized clinical and biomedical staff only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDReview and document all devices and applications that communicate with the LifeCare PCA system and implement firewall rules to permit only necessary connections
Mitigations - no patch available
0/2LifeCare PCA Infusion System: <=5.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the LifeCare PCA Infusion System on a dedicated VLAN with restricted access from clinical workstations and administrative networks
HARDENINGDeploy network monitoring and intrusion detection on the subnet where the infusion pump operates to detect unauthorized access attempts or unusual traffic patterns
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e8661557-880f-4d12-ae18-1b79dfe98bc2