The Food and Drug Administration is telling hospitals to stop using Hospira’s Symbiq medication pump, citing a cybersecurity vulnerability that could allow hackers to control how much medication the Internet-connected device delivers to patients.
The FDA said Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network, allowing an unauthorized user to control the device and change the dosage of medications the pump delivers to patients.
Hospira stopped manufacturing these pumps in 2013 due to unrelated issues, but the pumps were not removed from use by hospitals that already had purchased them. Last month, the FDA says an independent security researcher publicly released new information confirming the Symbiq medication pumps could be exploited from a remote setting.
“This changed the FDA’s risk assessment of this product, and as a result, the FDA is encouraging health care facilities to transition to alternative infusion systems,” FDA spokesperson Angela Stark wrote in an email.
This marks the first time the FDA has urged hospitals to end the use of a medical device because of a cybersecurity vulnerability, according to Stark.
The historic action at FDA comes as multiple federal agencies continue to warn of growing cyber vulnerabilities with medical and other devices. The Federal Trade Commission estimates 25 billion devices are connected online today.
In May, Scripps News revealed how consumers and businesses have left hundreds of thousands of Internet-connected cameras and devices vulnerable to hackers, while a new “Google-like” search engine has made unprotected devices increasingly easier for even unsophisticated people to locate online.
Scripps demonstrated how easy it was to use the search engine to find and even take over devices users had in many cases thought were password-protected.
Warning of the growing dangers in the medical field, a panelist speaking at an FTC workshop demonstrated how he was able to hack into his own insulin pump, where he could also manipulate the amount of medicine and actually stop insulin from being delivered.
“It says to me that the security vulnerabilities here are real,” said Kristen Anderson, an attorney in the privacy division of the FTC, told Scripps in May. “If you hacked into a connected pacemaker, defibrillator and issued a shock, you could stop someone’s heart.”
The FDA, which regulates medical devices, notes that as it relates to its recent action, Hospira is no longer marketing or distributing the Symbiq infusion pumps.
But the agency’s actions signal a shift towards how it could take an increasingly active role in identifying and responding to cybersecurity problems in medical devices it regulates.
In May, the FDA issued a prior safety communication related to two other Hospira pumps. Users were not, however, advised to stop using those products. The FDA’s only other previous cybersecurity-related safety communication came in June 2013 and related to a more general alert for medical professionals.
In the case of Hospira, the FDA cautioned that a lay person with incidental access to the hospital network would be unlikely to gain access to the Symbiq pump.
However, FDA spokesperson Angela Stark wrote “it is conceivable that (a) person with the knowledge and wherewithal could possibly find and potentially manipulate the pump.”
Hospira declined to say how many Symbiq infusion systems remain in use across the country, or to identify the hospitals where they are still being used, but a spokesperson said many of its customers already have transitioned away from the pumps or removed them from use altogether.
“For the limited sites that do still have them, we are working with them to deploy an update to put further cybersecurity protections in place until the pumps are retired, which is expected to be by the end of the year,” said Hospira Spokesperson Tareta Adams.
If you have a tip about cybersecurity or other story subjects, you can email Scripps national investigative correspondent mark.greenblatt@scripps.com or follow him on twitter @greenblattmark.