News & Resources

Publications & Media

“FDA Issues Warning on Cybersecurity for Infusion Pump”

Safe and Sound By Rachel H. Bryers

On July 31, 2015, the U.S. Food and Drug Administration (“FDA”) issued a safety warning alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities associated with the infusion pump. The Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The infusion system has the ability to communicate with a Hospital Information System via a wired or wireless connection over facility network infrastructures.

The FDA is strongly encouraging health care facilities to discontinue the use of this pump and instead transition to alternative infusion systems, after Hospira and an independent researcher confirmed that an unauthorized user could remotely access the Symbiq Infusion System through a hospital’s network. This vulnerability could permit hackers who are connected to a health care facility’s network to control the device and change the dosage delivered by the pump, causing a risk of an overdose or underdose to the patient. The FDA and Hospira stated they are not currently aware of any patient adverse events or unauthorized access involving the pump.

Hospira has already discontinued the manufacture and distribution of the Symbiq Infusion System, but is strongly encouraging health care facilities where the pump is still in use to begin transitioning away from the pump as soon as possible. While transitioning to an alternative system, the FDA recommends:

  • Disconnecting the affected product from the network (note that this may have operational impacts);
  • Ensuring that unused ports are closed; and
  • Monitoring and logging all network traffic attempting to reach the pump.

The FDA is also aware that the infusion pump is potentially available for purchase from third parties, and has strongly discouraged the purchase of this pump from such third parties. The warning also stated that the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is aware of these cybersecurity vulnerabilities.