News Feature | August 4, 2015

FDA Issues First Cybersecurity-Related Alert For A Specific Device

By Suzanne Hodsden


The U.S. Food and Drug Administration (FDA) has for the first time encouraged medical device users to avoid a product because of a cybersecurity-related vulnerability.

FDA, the Department of Homeland Security (DHS) and device maker Hospira each have issued statements warning that older models of Hospira’s Symbiq infusion pump systems are vulnerable to illegal cyber-attacks that could over- or under-dose patients remotely.  While no adverse events have been reported, the government and Hospira are working to correct the issue and urge product users to follow precautionary instructions to ensure patient safety.

Hospira stopped making the Symbiq system in 2013 as it transitioned into marketing campaigns for newer infusion pump models, but the FDA reports that there remains an unknown number of Symbiq systems still in use and they still are being sold by third parties.  In a statement, the FDA “strongly” urged hospitals using Symbiq to transition to alternative systems “as soon as possible.”

The DHS issued a list of safety precautions that product users could implement immediately to ensure their safety until they could switch to a new system.  These include disconnecting the device from the network, imputing updates manually, ensuring certain ports are closed, and calling a Hospira hotline to change the password for other ports.

According to the DHS, environments operating medical devices such as Symbiq should use layered and redundant security systems to implement “defense-in-depth” practices.  While hospital firewalls are effective, they should not be the only line of defense.

Billy Rios, a security consultant who once worked for Google as a software engineer, was credited by the DHS with discovering the flaws in the Symbiq system. In an interview with The Washington Post, Rios remarked that exploits he wrote to attack the Symbiq system could do a patient serious harm.

Though Hospira reported its new infusion pump models, LifeCare PCA and Plum A+, have been designed with stronger security protections, Rios warns that releasing new models is not enough to address patient safety. Medical device companies need to have a planned protocol for addressing problems in existing systems as they arise.

Jay Radcliffe, another cyber-security expert, told The Washington Post, “We’re still in the process of getting all companies to the same level of understanding that if your device uses computers, you have to be prepared to patch them and update them.”

This is the first time the FDA has alerted the public about cybersecurity risk in a specific medical device, but many experts warn that it will not be the last as more and more medical devices are connecting to open networks. A report released by Mayo Clinic researchers earlier this year suggested that cybersecurity soon will join safety and efficacy as a regulatory issue.

In a statement, Hospira expressed its commitment to being proactive about these issues and to joining an ongoing industry dialogue.

“Cybersecurity in healthcare devices is an issue that extends beyond infusion pumps. It is critical to continue multi-stakeholder dialogue to develop solutions to address this evolving area, and Hospira will continue to be an active participant in industry discussions on this topic,” stated Hospira.