Device vulnerability and cybersecurity are a growing and very real concern in the medical device industry. Now industry is seeing the latest manifestation of this issue with Hospira’s Symbiq Infusion System. On Friday FDA issued a safety communication alert related to this product and advised any healthcare facilities that are currently using it to “transition to alternative systems”.
The issue: The infusion system can be remotely accessed through a hospital network, enabling unauthorized users to control the device and on a very dangerous level, control the dosage that the pump delivers. According to the FDA alert, the agency, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, and Hospira are aware of the problem.
Hospira has already stopped manufacturing the product due to issues unrelated to the latest FDA alert. Regardless, these products are still being used in hospitals and care centers (and are still being sold by third parties), which has led FDA to “strongly” urge healthcare facilities to switch to another product. During the transition, the agency is advising facilities to disconnect the product from the network, ensure that unused ports are closed, and monitor and log all network traffic that is trying to access the product. FDA also cautions that disconnecting the infusion pump system will require manual updates to the drug libraries, which means caregivers will need to be even more vigilant about entry error.