FDA Warns of Cybersecurity Vulnerabilities with Hospira’s Symbiq

August 7, 2015

The FDA is cautioning healthcare facilities on the use of the discontinued Symbiq infusion system after the manufacturer and an independent investigator determined that unauthorized users could gain access to the pump through a hospital network.

In a notice posted to its website, the FDA says Hospira and the researcher have found that a cyber intruder could change the dosage of the pump delivers, causing an over- or underinfusion of patient therapies. While there have been no reports of adverse events related to the use of the pump, which can communicate with a hospital’s information system through a wired or wireless connection, the FDA is encouraging facilities to transition to an alternative as soon as possible.

For those facilities still using the systems, the FDA is advising that they disconnect the devices from the network. It warns of potential issues associated with this task, such as having to update drug libraries manually — a time-intensive process that could lead to errors.

Hospira no longer manufactures or distributes these systems, due to factors unrelated to cybersecurity. However, third parties still may be selling Symbiq, and the FDA is strongly discouraging hospitals from buying these systems from them.

This is not the first time federal officials have warned of cyberthreat posed by a Hospira device. This past spring, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team issued an advisory warning to users of the LifeCare PCA infusion system that the device may be vulnerable to a cyberattack. 

In a case similar to the Symbiq vulnerability, the LifeCare weaknesses involve user authorization and verification of data authenticity, which could allow hackers to access the pump’s controls and alter the type or amount of drug dispensed (IDDM, May 6). — Elizabeth Hollis