FDA warns of security flaw in Hospira infusion pumps

The U.S. Food and Drug Administration and pharmaceutical company Hospira announced Friday that they are aware of “cybersecurity vulnerabilities” associated with the company’s Symbiq Infusion System.

Last month, we received the cool and totally non-alarming news that drug infusion pumps manufactured by Hospira could be easily hacked over a network. The FDA said that some of the systems were even shipped with a default login password.

No cases have of attacks on the system have yet been recorded, but the FDA is strongly advising hospitals to stop using the system.

The devices, computerized pumps that allow for continuous delivery of general infusions, are used in hospitals and nursing homes.

The FDA says health care providers should disconnect the pumps from their networks and update their drug libraries manually – a process the agency warns can be labor intensive and prone to error.

“This (vulnerability) could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies”, wrote the FDA in its warning.

While technology can make care more accurate and efficient, security experts have raised concerns about how criminals might breach devices to steal information or harm patients. A week ago, automaker Fiat Chrysler recalled 1.4 million vehicles because of a flaw that made them vulnerable to hackers.

The FDA said Hospira had discontinued the manufacture and sales of the Symbiq system for reasons not related to the cyber vulnerability, but that they were still in use and being sold by third parties.

The vulnerability was discovered by a white-hat hacker by the name of Billy Rios who then reported it to the Department of Homeland Security. That import ban has since been lifted, Hospira said.