Hospital Drug Pump Can Be Hacked Through Network, FDA Warns

Updated on

A pump used to infuse drugs at a patient’s bedside can be hacked through hospital networks, causing an over- or under-dose, U.S. regulators said.

Health-care providers should stop use of the pumps, which were manufactured by Hospira Inc. and called Symbiq, the Food and Drug Administration said in a statement Friday. While Hospira has quit making the devices, they are still in use by hospitals, nursing homes and other health-care facilities to administer drugs intravenously, according to the agency.

The FDA “strongly encourages health-care facilities to begin transitioning to alternative infusion systems as soon as possible,” the agency said. The FDA warned about similar vulnerabilities to other Hospira pumps in May.

The FDA said an independent researcher alerted the agency that Hospira’s pumps could be accessed through a hospital’s wireless networks. “This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA said.

The agency isn’t aware of any patients who have been injured or any pumps that have been accessed without authorization.

The vulnerability shows the risky side of an increasingly connected health-care system. While technology can make care more accurate and efficient, security experts have raised concerns about how criminals might breach devices to steal information or harm patients.

Vulnerable Devices

A Hospira spokeswoman referred questions to a statement posted on the company’s website, saying the company was working with U.S. authorities. “We are communicating with customers at the limited number of sites where Symbiq remains in use,” the company said. “We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place.”

The Government Accountability Office, in a 2012 report, warned that medical devices were particularly susceptible and should be closely tracked. The GAO report was initiated after computer-security researchers found vulnerabilities in insulin pumps, which carefully dispense the drug into the body to keep blood sugar levels stable. Too much or too little insulin can be deadly.

The U.S. Federal Bureau of Investigation and the Department of Homeland Security are aware of the Hospira pump’s vulnerability, the FDA said.

In 2012, the FDA banned the import of Symbiq pumps made in Hospira’s Costa Rica manufacturing facility, noting in a warning letter that the agency had found numerous uncorrected quality problems. That import ban has since been lifted, Hospira said.

(Updates with Hospira comment in seventh paragraph.)

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE