FDA issues alert for infusion pump
The Food and Drug Administration (FDA) has issued an alert to users of a computerized infusion pump that communicates with hospital information systems via a wired or wireless connection over facility network infrastructures. The pump has serious cybersecurity vulnerabilities that could put patient safety at risk.
The FDA has strongly encouraged acute and non-acute healthcare facilities, such as nursing homes and outpatient care centers, currently using the Hospira Symbiq Infusion System, to discontinue use of these pumps and find alternative infusion systems as soon as possible.
According to FDA's safety communication, both the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team and Hospira are aware of the pump's cybersecurity vulnerabilities.
“This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the alert warns. “The FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a healthcare setting.”
Healthcare facilities should disconnect the pumps from their networks to reduce the risk of unauthorized system access when switching to a different infusion system. However, providers also should be aware of the "operational impacts" of disconnecting the devices from the network. Providers must manually update drug libraries for each pump which “can be labor intensive and prone to entry error.”
The infusion pumps are no longer available for purchase through Hospira but the FDA is concerned that the product is still potentially available for purchase from third parties.