Hospira Infusion Pumps Vulnerable to Hackers, Warns FDA

Warning that a security vulnerability could enable cyber attackers to take remote control of the system, the U.S. Food and Drug Administration on Friday recomended hospitals to discontinue using Hospira Inc‘s Symbiq infusion system. The glitch in the computerized pumps, used to deliver drugs, was uncovered by cyber security expert Billy Rios, who found that remote attacks could be made on patients via accessing a hospital’s computer network.

“This (vulnerability) could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” wrote the FDA in its warning.

This marks the first time the FDA has advised healthcare providers to stop use of a medical device because of a cyber-security vulnerability.

Manufacture and sales of the Symbiq system had previously been discontinued by Hospira, the FDA said, for reasons unrelated to the cyber vulnerability, although they are still in use and being sold by third parties.

An announcement on Hospira’s website indicated the company was working with Symbiq customers to deploy a software update closing access ports to the pump and including other security protections.

“This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months,” the statement said.

Photo: Justine Desmond, Wellcome Images