FDA Urges Hospitals to Discontinue Use of Hospira Infusion System Due to Cybersecurity Vulnerabilities

In a warning that is the first of its kind, on July 31, 2015, the FDA encouraged healthcare facilities to stop using the Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. (http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm) The infusion system is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. It operates by communicating with a Hospital Information System (“HIS”) via a wired or wireless connection over a facility’s network.

The vulnerability allows the infusion system to be accessed by an unauthorized user, who can then change the dosage the pump delivers. This can cause an over or under infusion of critical patient therapies. The FDA and Hospira are currently not aware of any adverse patient events or actual unauthorized access of the infusion system in a healthcare setting.

Healthcare providers better get used to warnings like this as medical devices are increasingly connected to healthcare networks. It is only a matter of time until an unauthorized user exploits a medical device vulnerability to cause an adverse patient event, or to access PHI in a provider’s network.

Written by: Richard Sheinis, Esq.