FDA Issues Cyber Alert for Remotely Accessible Infusion Pumps
The U.S. Food and Drug Administration has alerted users of a computerized infusion pump, which communicates with hospital information systems via a wired or wireless connection over facility network infrastructures, that it has serious cybersecurity vulnerabilities that could put patient safety at risk.
As a result, the FDA has strongly encouraged acute and non-acute healthcare facilities, such as nursing homes and outpatient care centers, which are currently using the Hospira Symbiq Infusion System to discontinue use of these pumps and find alternative infusion systems as soon as possible.
According a July 31 FDA safety communication, the U.S. Department of Homeland Securitys Industrial Control Systems Cyber Emergency Response Team as well as Hospirathe manufacturer of the infusion systemare aware of its cybersecurity vulnerabilities, namely the fact that the pump can be accessed remotely through a hospitals network.
This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies, warns the regulatory agency. The FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a healthcare setting.
While transitioning to an alternative infusion system, the FDA advises healthcare facilities to disconnect the pumps from their networks to reduce the risk of unauthorized system access. At the same time, the agency cautions that disconnecting the devices from the network will have operational impacts requiring drug libraries to be updated manually for each pump which can be labor intensive and prone to entry error.
Although the infusion pumps are no longer available for purchase through Hospira, which has discontinued the manufacture and distribution of the Symbiq Infusion System due to unrelated issues, the FDA expressed its concern that the product is still potentially available for purchase from third partieswhich the agency strongly discourages.