FDA warns of security flaw in Hospira infusion pumps

Reuters News
|
Posted: Jul 31, 2015 4:18 PM

By Jim Finkle

BOSTON (Reuters) - The U.S. Food and Drug Administration on Friday advised hospitals to stop using Hospira Inc's Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take control of the system remotely.

The agency issued the advisory some 10 days after the U.S. Department of Homeland Security warned of the vulnerability in the pump, which is used to deliver medications directly into the bloodstream of patients.

The FDA and DHS cited research from independent cyber security expert Billy Rios, who found that remote attacks could be launched on patients by accessing a hospital's network.

Both government agencies said they know of no cases where such an attack has been launched, but the FDA said in its advisory that it strongly encouraged healthcare facilities to stop using the Symbiq infusion pump system and move to other devices.

"This (vulnerability) could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," the agency said in its warning.

The warning came as industry and government regulators are placing unprecedented attention on public safety risks posed by cyber vulnerabilities in products with embedded computers.

Fiat Chrysler last week announced the recall of 1.4 million U.S. vehicles to install software to prevent hackers from gaining remote control of the engine, steering and other systems.

It was the first auto recall prompted by a cyber vulnerability.

The FDA said Hospira had discontinued the manufacture and sales of the Symbiq system for reasons not related to the cyber vulnerability, but that they were still in use and being sold by third parties.

Hospira officials could not immediately be reached for comment.

(Editing by Jonathan Oatis)