Hospitals advised to stop using vulnerable computerized drug pumps
The US Food and Drug Administration has issued a safety communication warning healthcare facilities using the Hospira Symbiq Infusion System – a computerized pump made for delivering infusion therapy – that the device has several critical security vulnerabilities.
“Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the alert says.
“Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.”
The vulnerabilities are as follows: ports 20/FTP and 23/TELNET are open by default, and Port 8443 can be accessed by entering a default login password.
The good news is that there is no evidence that the vulnerabilities have ever been exploited by malicious individuals.
While the Symbiq Infusion System is no longer sold and manufactured by Hospira, third parties are still selling it.
“After evaluating reported vulnerabilities, we are communicating with customers at the limited number of sites where Symbiq remains in use,” Hospira said in a statement.
“We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place. This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months.”
“Symbiq is a uniquely designed pump, and these updates will address reported vulnerabilities specific to Symbiq. Hospira is continuing to assess cybersecurity across our product line. For LifeCare PCA and Plum A+ infusion device customers, we are communicating with them directly regarding cybersecurity mitigations for these products,” they added.
This is the first time that the US FDA has advised healthcare providers to stop using a medical device because of cybersecurity vulnerabilities. The advice comes nearly two months after researcher Billy Rios revealed the existence of serious vulnerabilities in several types of drug infusion pumps manufactured by US-based Hospira.