CybersecurityFDA to hospitals: Infusion system vulnerable to hacks, should not be used

Published 3 August 2015

The Food and Drug Administration (FDA) issued a warning in which it “strongly encourages” hospitals to stop using Hospira’s Symbiq Infusion System, because the device is vulnerable to attacks by hackers who could remotely control dosages delivered via the computerized pumps. The FDS said that tests have shown that an unauthorized third party – hackers – could access the Symbiq infusion system by breaching hospital networks.

The Food and Drug Administration (FDA) issued a warning in which it “strongly encourages” hospitals to stop using Hospira’s Symbiq Infusion System, because the device is vulnerable to attacks by hackers who could remotely control dosages delivered via the computerized pumps. The FDS said that tests have shown that an unauthorized third party – hackers – could access the Symbiq infusion system by breaching hospital networks.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team. (ICS-CERT) reached similar conclusions after its own tests.

CERT reported the vulnerability on 21 July and the FDA released its own safety alert on Friday, 31 July. Thankfully, there are no reported incidences of the Symbiq system being hacked.

Endgadget reports that Hospira no longer sells the Symbiq system, but some third-party retailers are still selling it despite the FDA warning. The network vulnerability would “allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA says.

This safety alert the FDA has issued about the infusion system is the first foray of the health monitoring agency into cybersecurity territory.