Published Date: 2015-04-09
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in 2015. [38894, 37117, 35057] |
| System | 1. Hospira drug infusion pumps, including the LifeCare PCA, PCA3, PCA5, Symbiq, Plum A+, Plum A+3, Plum A+, and Sapphire and SapphirePlus models [38894, 1477, 37117, 35057] |
| Responsible Organization | 1. Hospira - Hospira was responsible for causing the software failure incident by producing drug infusion pumps with vulnerabilities that allowed hackers to remotely alter the dosage of drugs administered to patients [1477, 37117, 35057]. |
| Impacted Organization | 1. Patients in hospitals who were at risk of receiving incorrect dosages of medication due to vulnerabilities in the drug infusion pumps [38894, 1477, 37117, 35057] 2. Healthcare providers and hospital staff who relied on the drug infusion pumps for administering medication safely [38894, 1477, 37117, 35057] 3. FDA (Food and Drug Administration) as the regulatory body overseeing medical devices, including infusion pumps, and needing to address the reported vulnerabilities [1477, 37117, 35057] 4. Hospira, the manufacturer of the drug infusion pumps, facing scrutiny and needing to address the security flaws in their devices [38894, 1477, 37117, 35057] |
| Software Causes | 1. The software causes of the failure incident include vulnerabilities found in several models of drug infusion pumps made by Hospira, allowing hackers to remotely alter the firmware on the pumps and change the dosages delivered to patients [Article 37117]. 2. The software flaw involved the lack of authentication for internal drug libraries in Hospira pumps, enabling anyone on the hospital's network or a hacker accessing the pumps over the internet to load a new drug library that alters dosage limits, potentially leading to deadly dosages [Article 35057]. 3. The software vulnerabilities in the MedNet software used by Hospira pumps allowed hackers to install malware on the servers and distribute unauthorized drug libraries to the pumps or alter their configurations, posing a significant security risk [Article 35057]. |
| Non-software Causes | 1. Lack of authentication for internal drug libraries in the Hospira drug infusion pumps, allowing anyone on the hospital's network to load a new drug library that alters dosage limits [Article 35057]. 2. Vulnerabilities in the MedNet software used to communicate with the Hospira pumps, including hardcoded passwords and cryptographic keys, allowing hackers to install malware and distribute unauthorized drug libraries [Article 35057]. 3. Lack of proper validation mechanisms in the Hospira pumps, where validation IDs can be easily spoofed, and updates can be pushed out to pumps without verifying the source [Article 35057]. |
| Impacts | 1. The software failure incident involving vulnerabilities in drug infusion pumps made by Hospira had the potential to allow hackers to remotely alter the dosage of drugs administered to patients, including delivering potentially deadly doses [Article 37117]. 2. The vulnerabilities in the pumps could lead to serious harm to patients as they could be administered incorrect dosages due to the software malfunctioning or being manipulated by hackers [Article 1477]. 3. The incident highlighted the lack of authentication in the internal drug libraries of the pumps, allowing anyone on the hospital network or even hackers accessing the pumps over the internet to load new drug libraries that alter dosage limits, potentially leading to medication errors and patient harm [Article 35057]. 4. The FDA issued alerts about the vulnerabilities in the pumps, but there were delays in addressing the issues, potentially putting patients at risk [Article 37117]. 5. The software flaws in the pumps raised concerns about patient safety and the need for tighter regulations and oversight of medical devices to prevent such incidents in the future [Article 1477]. |
| Preventions | 1. Implementing authentication for internal drug libraries in the drug infusion pumps to prevent unauthorized access and alterations [Article 35057]. 2. Conducting variant analysis on different models of pumps to identify vulnerabilities and ensure security across all products [Article 37117]. 3. Enhancing the firmware design to only accept legitimate updates that are authenticated and digitally signed, preventing unauthorized alterations [Article 37117]. 4. Improving network security measures, including secure firewalls, to prevent unauthorized access and tampering with the pumps and software [Article 35057]. 5. Requiring clinical trials to ensure pumps are not susceptible to misuse or design errors, in addition to simulated testing [Article 1477]. |
| Fixes | 1. Implementing core changes to the firmware's design to ensure that only legitimate drug libraries from trusted sources can be installed on the pumps [Article 35057]. 2. Enhancing network security measures enforced by hospital information systems, including secure firewalls, to prevent tampering with the pumps and software [Article 35057]. 3. Conducting variant analysis to determine if other models of pumps from the same manufacturer are affected by the vulnerabilities [Article 37117]. 4. Requiring producers of medical devices like infusion pumps to provide more test data to regulatory agencies before approval for sale [Article 1477]. 5. Conducting limited clinical trials to ensure that pumps are not susceptible to misuse or design errors [Article 1477]. | References | 1. Security researcher Billy Rios [Article 38894, Article 37117, Article 35057] 2. FDA (Food and Drug Administration) [Article 1477, Article 35057] 3. Hospira (manufacturer of drug infusion pumps) [Article 38894, Article 37117, Article 35057] 4. Blackberry Chief Security Officer David Kleidermacher [Article 38894] 5. Dr. Jeffrey E. Shuren, director of the Center for Devices and Radiological Health at the FDA [Article 1477] 6. Eric Floyd, Hospira's vice president for global regulatory affairs [Article 1477] 7. Dr. Robert Wachter, associate chair of UC San Francisco's Department of Medicine [Article 35057] 8. Tareta Adams, Hospira spokeswoman [Article 35057] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to the vulnerability in drug infusion pumps has happened again within the same organization, Hospira. Billy Rios reported vulnerabilities in several models of drug infusion pumps made by Hospira, allowing hackers to remotely change the amount of drugs administered to patients [Article 37117]. Rios also found security problems with the MedNet software used to communicate with the pumps, which could allow hackers to install malware and distribute unauthorized drug libraries [Article 35057]. (b) The software failure incident has also happened at other organizations or with their products and services. Federal regulators tightened oversight of medical devices, including infusion pumps, due to reports of patient deaths linked to problems with the devices [Article 1477]. Additionally, vulnerabilities in drug infusion pumps made by other manufacturers were reported, allowing attackers to access and alter dosages [Article 35057]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase: - The software failure incident in the articles is primarily related to the design phase. It involves vulnerabilities in the design of drug infusion pumps made by Hospira, allowing hackers to remotely alter the firmware on the pumps and change the dosages delivered to patients [37117]. - The vulnerabilities were found in several models of pumps made by Hospira, including the PCA LifeCare pumps, PCA3 LifeCare, PCA5 LifeCare, Symbiq, and Plum A+ models [37117]. - The design flaws included issues with the communication module in the pumps, lack of authentication for internal drug libraries, and hardcoded passwords in the MedNet software used to communicate with the pumps [37117]. - The vulnerabilities allowed attackers to remotely access the pumps, install malware, distribute unauthorized drug libraries, and alter configurations, posing a significant risk to patient safety [35057]. (b) The software failure incident related to the operation phase: - The software failure incident also involves factors related to the operation phase, specifically the misuse of the system by potential attackers [35057]. - The vulnerabilities discovered in the Hospira drug infusion pumps allowed for potential misuse by hackers who could alter dosages remotely, leading to serious harm to patients [35057]. - The operation phase failure is highlighted by the fact that the pumps did not use authentication for internal drug libraries, allowing anyone on the hospital's network or even hackers accessing the pumps over the internet to load new drug libraries that could potentially deliver deadly dosages [35057]. - The misuse of the system by exploiting the vulnerabilities in the design phase led to the potential for altering dosages and causing harm to patients, indicating a failure in the operation of the system [35057]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: - The software failure incident related to the vulnerability in the drug infusion pumps made by Hospira was primarily due to contributing factors that originated from within the system itself. The vulnerabilities in the pumps allowed hackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to change the dosages delivered to patients [Article 37117]. - The Hospira pumps had security problems with the MedNet software used to communicate with the pumps, including hardcoded passwords, cryptographic keys, and vulnerabilities that could allow hackers to install malware on the servers and distribute unauthorized drug libraries to the pumps [Article 35057]. (b) outside_system: - The software failure incident was also influenced by contributing factors that originated from outside the system. For example, the vulnerability in the drug infusion pumps allowed anyone on the hospital's network or a hacker accessing the pumps over the internet to load a new drug library that alters the dosage limits, potentially leading to the delivery of a deadly dosage [Article 35057]. - Additionally, the pumps' design allowed for updates to be pushed out to them from any system on the hospital's network, without verifying the legitimacy of the source, which exposed them to external manipulation [Article 35057]. |
| Nature (Human/Non-human) | non-human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles is primarily related to vulnerabilities in the software of drug infusion pumps made by Hospira, allowing hackers to remotely alter the firmware on the pumps and change the dosages delivered to patients [Article 37117]. - The vulnerabilities in the software of the pumps allowed for the alteration of dosage limits and the potential administration of deadly doses without issuing alerts [Article 35057]. - The software flaws included issues with the communication modules in the pumps, lack of authentication for internal drug libraries, and vulnerabilities in the MedNet software used to communicate with the pumps [Article 35057]. (b) The software failure incident occurring due to human actions: - The articles do not specifically mention any software failure incidents caused by human actions. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The software failure incident reported in the articles is related to vulnerabilities found in drug infusion pumps made by Hospira, a medical equipment manufacturer. These vulnerabilities allowed hackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to change the dosages delivered to patients [Article 37117]. - The vulnerabilities were found in several models of drug infusion pumps made by Hospira, including the PCA LifeCare pumps, PCA3 LifeCare, PCA5 LifeCare, Symbiq line of pumps, and Plum A+ model of pumps. These pumps had communication modules connected via a serial cable to a circuit board, which contained the firmware. Hackers could exploit this serial connection to remotely access and update the firmware on the pumps, potentially leading to harmful consequences [Article 37117]. (b) The software failure incident occurring due to software: - The software failure incident was primarily caused by vulnerabilities in the software of the drug infusion pumps manufactured by Hospira. These vulnerabilities allowed hackers to remotely alter the firmware on the pumps, giving them control over the devices and the ability to change the dosages delivered to patients [Article 37117]. - The vulnerabilities in the software of the pumps were exploited by security researcher Billy Rios, who found flaws in the communication modules and serial cable connections that allowed unauthorized firmware updates. The software did not authenticate updates, making it possible for anyone to alter the software on the pumps, leading to potential risks for patients [Article 37117]. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) The software failure incident described in the articles is malicious in nature. Security researcher Billy Rios discovered vulnerabilities in several models of drug infusion pumps made by Hospira that would allow a hacker to remotely change the amount of drugs administered to a patient, including raising the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert [Article 37117]. Rios also found that the pumps did not use authentication for their internal drug libraries, allowing anyone on the hospital's network or a hacker accessing the pumps over the internet to load a new drug library that alters dosage limits, potentially leading to serious harm to patients [Article 35057]. (b) The software failure incident is non-malicious in the sense that some of the deaths linked to problems with infusion pumps were accidental, either because a hospital worker entered incorrect dosage data into a pump or because the device's software malfunctioned [Article 1477]. Additionally, altering the allowable limits of a drug in the pump simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn't issue an alert, which seemed less alarming than if the pumps had vulnerabilities that would allow hackers to actually alter the dosage itself [Article 37117]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) poor_decisions: - The software failure incident involving the drug infusion pumps made by Hospira was due to poor decisions made in the design and implementation of the software and firmware. The vulnerabilities in the pumps allowed hackers to remotely alter the firmware, giving them complete control over the devices and the ability to change the dosages delivered to patients [Article 37117]. - Hospira initially refused to fix the vulnerabilities reported by Billy Rios and stated that it had no interest in determining whether other infusion pumps in its product line possessed the same vulnerabilities, indicating a lack of proactive action to address security issues [Article 35057]. (b) accidental_decisions: - The software failure incident also involved accidental decisions or actions that contributed to the vulnerabilities. For example, the lack of authentication for internal drug libraries in the Hospira pumps allowed anyone on the hospital's network to load a new drug library that altered dosage limits, potentially leading to accidental administration of incorrect dosages [Article 35057]. - The FDA issued preliminary guidelines requiring more test data on infusion pumps to prevent accidental drug overdoses caused by mistakes such as entering incorrect dosage data into a pump or software malfunctions [Article 1477]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) development_incompetence: - Article 35057 reports on a software failure incident related to the Hospira drug infusion pumps. The article highlights vulnerabilities found by security researcher Billy Rios in the Hospira systems, including issues with authentication for internal drug libraries, hardcoded passwords, cryptographic keys, and plaintext storage of usernames and passwords in the MedNet software used to communicate with the pumps. These vulnerabilities were exploited by Rios to demonstrate the potential for hackers to install malware, distribute unauthorized drug libraries, and alter configurations of the pumps [35057]. - Article 37117 also discusses the vulnerabilities found by Billy Rios in several models of drug infusion pumps made by Hospira, allowing hackers to remotely alter the firmware on the pumps and change the dosages delivered to patients. Rios reported these vulnerabilities to Hospira and the FDA, indicating a lack of proper security measures in the design and development of the pumps [37117]. (b) accidental: - Article 1477 mentions incidents where patients suffered drug overdoses accidentally due to problems with automated infusion pumps, either because a hospital worker entered incorrect dosage data into a pump or because the device's software malfunctioned. The FDA received reports of 710 patient deaths linked to problems with infusion pumps, indicating accidental errors leading to serious consequences [1477]. - Article 35057 also discusses the risks associated with altering dosage boundaries in drug libraries of infusion pumps, highlighting the potential for accidental dosage mistakes that could cause serious harm to patients. Dr. Robert Wachter expressed concerns about the impact of changing dosage limits in a pump's library, emphasizing the potential for harm in a hospital setting where numerous medications are administered [35057]. |
| Duration | permanent | (a) The software failure incident described in the articles appears to be permanent. The vulnerabilities and flaws in the software of the drug infusion pumps made by Hospira allowed hackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to change the dosages delivered to patients [Article 37117]. Additionally, the software did not use authentication for internal drug libraries, allowing anyone on the hospital's network to load a new drug library that alters dosage limits, potentially leading to deadly dosages being administered [Article 35057]. These software vulnerabilities were not temporary issues but fundamental flaws in the design and implementation of the software, indicating a permanent failure state. |
| Behaviour | omission, value, other | (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions [unknown]. (b) omission: The failure is related to the system omitting to perform its intended functions at an instance(s). For example, the system omitted to issue an alert when a caregiver accidentally instructed the pump to give too high or too low a dosage, leading to potential harm to patients [Article 35057]. (c) timing: The failure is not related to the system performing its intended functions too late or too early [unknown]. (d) value: The failure is related to the system performing its intended functions incorrectly. For instance, the vulnerabilities allowed hackers to remotely change the amount of drugs administered to a patient, potentially leading to deadly dosages [Article 37117]. (e) byzantine: The failure is not related to the system behaving erroneously with inconsistent responses and interactions [unknown]. (f) other: The other behavior observed in the software failure incident is the system allowing unauthorized changes to the firmware, giving complete control to attackers and potentially leading to harmful alterations in drug dosages delivered to patients [Article 37117]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, processing_unit, network_communication, embedded_software | (a) sensor: Failure due to contributing factors introduced by sensor error - Article 35057 discusses vulnerabilities in the Hospira drug infusion pumps related to the drug libraries not using authentication for their internal drug libraries, which help set upper and lower boundaries for dosages. This lack of authentication allows anyone on the hospital's network to load a new drug library that alters the limits, potentially leading to the delivery of a deadly dosage [35057]. (b) actuator: Failure due to contributing factors introduced by actuator error - The articles do not specifically mention failures related to actuator errors. (c) processing_unit: Failure due to contributing factors introduced by processing error - Article 37117 describes vulnerabilities found by Billy Rios in several models of drug infusion pumps made by Hospira, allowing a hacker to remotely change the amount of drugs administered to a patient by altering the firmware on the pumps. This indicates a failure related to processing errors in the software controlling the pumps [37117]. (d) network_communication: Failure due to contributing factors introduced by network communication error - Article 37117 discusses vulnerabilities in the communication module of the Hospira pumps, which are connected to hospital networks and the internet. The serial cable connection between the communication module and the circuit board allows hackers to remotely access the firmware and update it, indicating a failure related to network communication errors [37117]. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - Article 37117 highlights vulnerabilities in the firmware of the Hospira drug infusion pumps, allowing attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. This points to a failure related to embedded software errors [37117]. |
| Communication | link_level, connectivity_level | (a) The failure was related to the communication layer of the cyber physical system that failed: - Article 37117 discusses how security researcher Billy Rios found vulnerabilities in drug infusion pumps made by Hospira, specifically related to the communication module in the LifeCare and Plum A+ pumps. The vulnerability allowed hackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. The communication modules were connected via a serial cable to a circuit board in the pumps, which contained the firmware. This vulnerability in the communication layer allowed unauthorized access and control over the pumps [37117]. (b) The failure was related to the communication layer of the cyber physical system that failed: - Article 35057 also highlights the vulnerabilities in the communication layer of the Hospira pumps. The MedNet software used to communicate with the pumps had several security issues that could be exploited by hackers. The pumps operated in listening mode through various ports and could receive updates from any system on the hospital's network, not just the MedNet system. Additionally, the validation IDs used for security could be easily spoofed, indicating weaknesses in the network communication layer of the system [35057]. |
| Application | TRUE | The software failure incidents described in the articles were related to the application layer of the cyber physical system. The failures were due to vulnerabilities in the software that allowed hackers to remotely alter the dosage of drugs administered to patients through drug infusion pumps. These vulnerabilities were exploited by manipulating the firmware of the pumps, allowing attackers to change the dosage limits and potentially administer deadly doses without triggering alerts [Article 38894, Article 37117]. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | death, harm, theoretical_consequence | (a) death: The software failure incident involving vulnerabilities in drug infusion pumps made by Hospira had the potential consequence of causing death. The vulnerabilities discovered by security researcher Billy Rios could allow hackers to remotely administer fatal drug doses to patients by altering the dosage limits and firmware of the pumps [38894, 37117]. (b) harm: The software failure incident could result in physical harm to patients. The vulnerabilities in the drug infusion pumps could lead to patients receiving incorrect dosages of medication, potentially causing harm or overdose [1477, 35057]. (h) theoretical_consequence: There were potential consequences discussed regarding the software failure incident. The vulnerabilities in the drug infusion pumps could have led to serious harm or death if exploited by hackers to administer incorrect dosages of medication to patients [1477, 35057]. |
| Domain | health | (a) The failed system was related to the production and distribution of information as it involved vulnerabilities in drug infusion pumps used in hospitals to administer medication to patients [1477, 37117]. (b) There is no direct mention of the transportation industry in the articles. (c) There is no direct mention of the natural resources industry in the articles. (d) There is no direct mention of the sales industry in the articles. (e) There is no direct mention of the construction industry in the articles. (f) There is no direct mention of the manufacturing industry in the articles. (g) There is no direct mention of the utilities industry in the articles. (h) There is no direct mention of the finance industry in the articles. (i) There is no direct mention of the knowledge industry in the articles. (j) The failed system was specifically related to the health industry as it involved vulnerabilities in drug infusion pumps used in healthcare settings to administer medication to patients [1477, 37117]. (k) There is no direct mention of the entertainment industry in the articles. (l) There is no direct mention of the government industry in the articles. (m) The failed system was not related to any other industry mentioned in the options. |
Article ID: 38894
Article ID: 1477
Article ID: 37117
Article ID: 35057