FDA Issues Safety Alert Over Hospira Infusion Pump’s Cybersecurity Vulnerabilities

image

The FDA has published a safety alert stemming from cybersecurity vulnerabilities found within medical device manufacturer Hospira’s Symbiq Infusion System. The alert outlines security vulnerabilities initially discovered by the US Department of Homeland Security on July 21. According to the DHS, Hospira’s infusion system contains serious software security issues that “could allow an attacker to remotely control the operation of the device, potentially impacting the prescribed therapy and patient safety.” As a result, the FDA is recommending that customers migrate to an alternative infusion pump as soon as possible.

The announcement marks the FDA’s first safety alert related to a cybersecurity vulnerability, suggesting that the agency may being monitoring the notoriously insecure software that runs medical devices more closely. In the last few years, a slew of high-profile vulnerabilities have been exposed by white-collar hackers, including exploits that could allow attackers to commandeer surgical robots, insulin pumps, and even pacemakers. Though no actual attacks are known to have occurred based on any of these vulnerabilities, software experts agree that a stronger emphasis on software security is overdue.

In the case of the Symbiq Infusion System, Hospira discontinued this product line in May 2015 over unrelated issues, but does not expect to have all units removed from the market until December 2015. In the meantime, units are still in use at hospitals across the country and reportedly still being sold by third-party resellers.

To mitigate the threat, the FDA and DHS are recommending Symbiq pumps be taken off internal hospital networks completely. The alert also recommends IT departments close unused ports on the devices and suggests monitoring for network traffic attempting to reach the devices. The alert cautions that removing the device from the network will prevent it from updating its internal drug library, which will result in manual updates that are both labor intensive and prone to user error.

The FDA reports that it will continue to monitor the situation and will publish additional communications should new information become available.


Enjoy HIStalk Connect? Sign up for update alerts, or follow us at @HIStalkConnect.

↑ Back to top

Founding Sponsors

Platinum Sponsors