Dive Brief:
- The FDA issued an alert this week to healthcare facilities about Hospira's Symbiq Infusion Systems cybersecurity risks.
- Initially discovered a year ago, the company has been developing software updates to address the vulnerabilities, which include remote hacking to possibly alter dosage being delivered to patients.
- Hospira retired the unit the end of May and expects it to be completely off the market by the end of the year. The FDA alert "strongly encouraged" facilities to stop using it and issued a warning about the device's risks.
Dive Insight:
The FDA is advising facilities to disconnect the Symbiq systems from the network, to close unused ports, change default passwords, and monitor network traffic for potential cyberattacks.
Several vulnerabilities have been discovered in the company's infusion systems, including buffer overflow, improper authorization, insufficient verification of data authenticity, hard coded passwords, improper storage of sensitive information, uncontrolled resource consumption, key and certification management issues and use of vulnerable third-party software, according to Security Week.
"It's worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls," the company told the publication in May. "These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security."
The FDA states in its alert that neither they nor Hospira are aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a healthcare setting.