FDA Issues its First-Ever Cybersecurity Alert
In what may be a first for the agency, the Food and Drug Administration (FDA) has issued a cybersecurity alert to hospitals using computer-controlled pumps to administer drugs to patients.
The FDA warned that the Symbiq Infusion System, manufactured by Hospira, contains vulnerabilities in its software that could allow a hacker to adjust the dosage of a drug.
The vulnerabilities were first detected by cybersecurity researcher Billy Rios, and later confirmed by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
The FDA says Hospira is aware of the cybersecurity weaknesses with the Symbiq Infusion System, and has recommended hospitals stop using them and switch to alternative infusion systems. The agency said it was not aware “of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting.”
Hospira has stopped manufacturing and distributing the Symbiq Infusion System, which was “due to unrelated issues,” according to the FDA. However, many of them are still available for purchase through medical supply companies. The FDA advised health care facilities to avoid purchasing the pumps from these third parties.
In addition, Rios said he has found similar vulnerabilities in other pumps made by Hospira. The company’s PCA LifeCare pumps; PCA3 LifeCare and PCA5 LifeCare pumps; and its Plum A+ model of pumps are all able to be accessed by hackers, according to Wired.
Rios told Wired that the communications modules used with the pumps allow updates to the machines’ firmware. “And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios said.
Nor would a hacker need physical access to the pump to change the programming. “You can talk to that communication module over the network or over a wireless network,” Rios said.
-Noel Brinkerhoff, Steve Straehley
To Learn More:
Symbiq Infusion System by Hospira: FDA Safety Communication - Cybersecurity Vulnerabilities (Food and Drug Administration)
Hospira Symbiq Infusion System Vulnerability (Department of Homeland Security)
Hacker Can Send Fatal Dose to Hospital Drug Pumps (by Kim Zetter, Wired)
Hospira Plum A+ Infusion Pump Vulnerabilities (Billy Rios)
- Top Stories
- Unusual News
- Where is the Money Going?
- U.S. and the World
- Appointments and Resignations
- Latest News
- Drug Enforcement Administration Misused Money for Informants
- More Measures Needed to Slow Global Warming
- Study Finds Police Use of Body Cameras Dramatically Cuts Complaints
- Federal Government Prohibits Mandatory Arbitration in Nursing Home Contracts
- Supreme Court Takes Case That Could Affect Trademark Protection for Football Team’s Offensive Name