The U.S. Food and Drug Administration (FDA) recently issued a safety alert warning health care facilities and providers to suspend or avoid use of Hospira’s Symbiq Infusion System. The announcement came after the FDA, the U.S. Department of Homeland Security, and the medical device manufacturer Hospira became aware of cybersecurity vulnerabilities associated with the infusion pumps.
The Hospira Symbiq Infusion System is “a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population.” According to the FDA communication, Hospira confirmed with an independent researcher that the Hospira Symbiq Infusion System could be hacked remotely through online hospital information systems. The most immediate risk is that an unauthorized individual could alter the infusion settings of the pump, leading to a potentially fatal under- or overdose.
This is not the first time Hospira has experienced technical difficulties with its pumps. In March of this year, Hospira issued a Class I recall of its Plum A+ and A+3 infusion pumps. In a safety alert, the FDA explained that an alarm that triggers when therapy is interrupted was not working as intended, and thus could result in patients going hours at a time without vital treatment.
In both the March recall and this new safety alert, no patient deaths or injuries were reported. Nonetheless, the FDA is strongly urging health care facilities not to purchase the Hospira Symbiq Infusion System, or to transition to an alternative product if the pumps are already in use.
As hospitals and devices become networked, security and hacking risk are obvious risks that must be planned for, addressed, and rigorously tested. While it may seem obvious that critical life support and therapy systems must be designed implement to prevent unauthorized control, these issues are too often overlooked or not properly addressed.