In what may be a first for the agency, the Food and Drug Administration (FDA) has issued a cybersecurity alert to hospitals using computer-controlled pumps to administer drugs to patients.
The FDA warned that the Symbiq Infusion System, manufactured by Hospira, contains vulnerabilities in its software that could allow a hacker to adjust the dosage of a drug.
The vulnerabilities were first detected by cybersecurity researcher Billy Rios, and later confirmed by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
The FDA says Hospira is aware of the cybersecurity weaknesses with the Symbiq Infusion System, and has recommended hospitals stop using them and switch to alternative infusion systems. The agency said it was not aware “of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting.”
Hospira has stopped manufacturing and distributing the Symbiq Infusion System, which was “due to unrelated issues,” according to the FDA. However, many of them are still available for purchase through medical supply companies. The FDA advised health care facilities to avoid purchasing the pumps from these third parties.
In addition, Rios said he has found similar vulnerabilities in other pumps made by Hospira. The company’s PCA LifeCare pumps; PCA3 LifeCare and PCA5 LifeCare pumps; and its Plum A+ model of pumps are all able to be accessed by hackers, according to Wired.
Rios told Wired that the communications modules used with the pumps allow updates to the machines’ firmware. “And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios said.
Nor would a hacker need physical access to the pump to change the programming. “You can talk to that communication module over the network or over a wireless network,” Rios said.