U.S. officials warn medical devices are vulnerable to hacking

In a YouTube video of their presentation at the BlackBerry Security Summit 2015, they showed just how simple it was to hack an infusion pump – using the built in Ethernet hack at the back of the pump, with the help of the device’s manual, which provided the fixed IP address that let Murphy break into it. To make matters worse, Murphy was even able to hack into the WiFi on the pump, so that he could control it remotely.

The FDA and Department of Homeland Security issued a statement that “strongly encourages” health care facilities to discontinue the use of Hospira’s Symbiq infusion pump after officials learned the devices are vulnerable to cybersecurity threats.

The U.S. Federal Bureau of Investigation and the Department of Homeland Security are aware of the Hospira pumps vulnerability, the FDA said. The Lake Forest, Illinois, company declined to say how numerous products are still in use.

Hospira Inc. stopped making Symbiq pumps in 2013 and said it expected majority would be replaced within two to three years.

In 2012, the FDA banned the import of Symbiq pumps made in Hospiras Costa Rica manufacturing facility, noting in a warning letter that the agency had found numerous uncorrected quality problems. That’s the good news, says CBS News national security analyst Juan Zarate, “but the risk is there”.

The company added that it is also helping users of its Plum A+ and LifeCare PCA infusion devices in order to prevent similar issues with cyber-security risks.

The Symbiq infusion system is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. They’re used in hospitals, nursing homes and other facilities.

Hospira and an independent researcher confirmed that Hospira’s Symbiq infusion system could be accessed remotely through a hospital’s network.

The FDA recommends health care providers disconnect the pumps from their networks and update their drug libraries manually – a process that can be labor intensive and prone to error. “We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place”. While no adverse events have been reported, the government and Hospira are working to correct the issue and urge product users to follow precautionary instructions to ensure patient safety.