News Feature | August 14, 2015

FDA Issues Alert Medication Infusion Pump Hacking Alert

Christine Kern

By Christine Kern, contributing writer

FDA Draft Guidance

The warning states the system is vulnerable to cybersecurity hacks that can control dosage.

The FDA has issued an alert, warning of cybersecurity vulnerabilities in the Symbiq Infusion pump that could allow hackers to override control of patient medication delivery. The Hospira Symbiq Infusion System is a computerized pump that provides continuous delivery of general infusion therapy for a broad patient population.

The alert warns healthcare facilities using this system of potential unauthorized access and control of these systems, and includes a recommendation that users transition to alternative infusion systems and discontinue use of the affected pumps until further notice. The alert reads, in part, “The FDA, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (CS-CERT), and Hospira are aware of cybersecurity vulnerabilities associated with the Symbiq Infusion System. Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network,” an action that could potentially “allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”

Researcher Billy Rios discovered the flaws in a number of Hospira infusion systems, including Plum A+, Lifecare PCA and, Symbiq products, according to Security Week. To date, there is no indication that such actions have occurred and no evidence of patient adverse events or unauthorized access.

While transitioning to an alternative infusion system, healthcare facilities should take the following steps to reduce the risk of unauthorized system access:

  • Disconnect the affected product from the network. Be aware that disconnecting the affected product from the network will have operational impacts, and will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.
  • Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
  • Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.

Hospira has discontinued the manufacture and distribution of the affected infusion systems, due to unrelated issues, and is currently working with its customers to transition to alternative systems, and the FDA strongly encourages these transitions as soon as possible. Hospira has also provided a software update to minimize vulnerabilities during the changeover.

“Hospira has been part of ongoing discussions with the FDA and Department of Homeland Security regarding recent developments around device cybersecurity,” Hospira told SecurityWeek in May. “It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security.”

Among the vulnerabilities discovered in Hospira infusion systems are a buffer overflow, improper authorization, insufficient verification of data authenticity, hardcoded passwords, improper storage of sensitive information, uncontrolled resource consumption, key and certificate management issues, and the use of vulnerable third party software.