BOSTON (Reuters) - The U.S. Food and Drug Administration on Friday advised hospitals not to use Hospira Inc’s Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take remote control of the system.
The agency issued the advisory some 10 days after the U.S. Department of Homeland Security warned of the vulnerability in the pump, which is used to deliver medications directly into the bloodstream of patients.
The FDA and DHS cited research from independent cyber security expert Billy Rios, who found that remote attacks could be launched on patients by accessing a hospital’s network.
Both the FDA and DHS said they know of no cases where such an attack has been launched, but the FDA said in its advisory that it strongly encouraged healthcare facilities to stop using the Symbiq infusion pump system and move to other devices.
“This (vulnerability) could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA said in its warning.
It was the first time the FDA has advised healthcare providers to discontinue use of a medical device because of a cyber-security vulnerability.
The FDA said Hospira had previously discontinued the manufacture and sales of the Symbiq system for reasons not related to the cyber vulnerability, but that they were still in use and being sold by third parties.
Hospira said in a notice on its website that it was working with Symbiq customers to deploy a software update that closes access ports to the pump and includes other cyber-security protections.
“This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months,” the statement said.
It said that it was also working with customers of its LifeCare PCA and Plum A+ infusion devices with advice on how to mitigate cyber-security vulnerabilities.
FDA spokeswoman Angela Stark said the agency had looked into issues with other Hospira infusion pumps and issued a safety communication on two other Hospira models in May.
John Halamka, chief information officer with Boston’s Beth Israel Deaconess Medical Center, said that healthcare providers need to secure medical devices by putting them behind firewalls and placing them on private internal networks that are not accessible.
He said that ultimately the responsibility for securing devices lies with manufacturers.
“They need to re-engineer their devices with security built in,” he said.
The FDA’s warning came as industry and government regulators are placing unprecedented attention on public safety risks posed by cyber vulnerabilities in products with embedded computers.
Fiat Chrysler last week announced the recall of 1.4 million U.S. vehicles to install software to prevent hackers from gaining remote control of the engine, steering and other systems.
It was the first auto recall prompted by a cyber vulnerability.
Critics have warned in recent years that the government is not moving fast enough to address vulnerabilities in critical infrastructure, including healthcare and transportation.
A senior Department of Homeland Security official told Reuters in October that the agency was reviewing about two dozen cases of possible cyber vulnerabilities in medical devices. He did not identify the devices under scrutiny, but people familiar with the agency’s work said that they included Hospira pumps.
A DHS spokesman on Friday declined to comment on the status of the agency’s other investigations into medical devices.
Josh Corman, co-founder of the non-profit group I Am The Cavalry, said the unprecedented responses to Hospira and Fiat Chrysler vulnerabilities shows that government and industry can find ways to protect the public from cyber vulnerabilities.
“This is very encouraging,” said Corman, whose group lobbies to boost security of cars and medical devices. “I love this as an intermediary step while new laws and new regulatory standards are being developed.”
Additional reporting by Toni Clarke in Washington and Caroline Humer in New York; Editing by Jonathan Oatis
Our Standards: The Thomson Reuters Trust Principles.