Skip to Content

Security researcher claims he can hack into IV drug pumps


It’s bad enough to be so ill that you have to head to the hospital for treatment. Now you have to worry about getting the correct dosage of medication pumped into your body.

A security researcher said on Monday that he was able to hack into multiple IV drug pumps from the manufacturer Hospira (HSP) and alter the administered dosage, which could prove fatal for some patients.

For over a year, Billy Rios said he has publicly notified authorities like the Department of Homeland Security only to be ignored, Rios wrote in a blog post. He then said that a second security researcher went public with his findings on similar IV pump vulnerabilities, which led to the FDA issuing a cyber security safety advisory.

In an interview with Wired, Rios explained how he studied several of Hospira’s lineup of IV pumps and apparently discovered that a hacker could remotely tamper with the device and cause the wrong dosage to be given.

Supposedly, the way the IV pumps are updated leave them vulnerable to be tampered with. Rios claims that the IV pumps will accept any update to the products’ firmware, which in the case of a hacker, means that someone up to no good could tweak with the dosage.

This hacking news comes at a time when another security researcher has claimed to have found vulnerabilities onboard a United Airplanes aircraft that supposedly could allow him to hack into the flight. The researcher was detained by the FBI for tweeting on his discovery and during the questioning, apparently said that he once hacked into a plane and caused it to fly in a sideways manner.

Hospira did not respond to Wired’s request for a comment. A request for comment was also sent by Fortune and we’ll update this post if we hear back.

Update- Hospira provided the following statement to Fortune:
Supporting safe and effective delivery of medication is Hospira’s priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting.

As we have been doing with DHS and FDA for some time, we will continue to investigate any feedback we receive on our devices. We will also continue to communicate with customers regarding cybersecurity, and software and infusion pump updates and/or enhancements.