FDA Issues Alert Over Vulnerable Hospira Drug Pumps

The U.S. Food and Drug Administration (FDA) issued an alert on Friday to warn healthcare organizations about the cyber security risks associated with the use of Hospira Symbiq infusion systems.

Security flaws in Hospira’s Symbiq drug pumps were uncovered last year by researcher Billy Rios. The expert identified serious vulnerabilities in various infusion systems made by Hospira, including Plum A+, Lifecare PCA, and Symbiq products. The security holes can be exploited to remotely hack the devices and possibly change the dosage they deliver to patients.

Hospira has been working on developing software updates to address the reported vulnerabilities.

The vendor has decided to remove Symbiq infusion systems from the market, and is working with customers to help them deploy alternative products. The company says it has provided healthcare organizations a software update to mitigate vulnerabilities while they transition to new solutions.

The Symbiq infusion system was retired on May 31 and Hospira expects it to be fully removed from the market by the end of the year. The FDA has issued an alert to encourage organizations to stop using the vulnerable product and warn them about the risks.

“The FDA is alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities with this infusion pump. We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps,” the FDA said.

While Hospira is no longer selling Symbiq drug pumps, the FDA says the product might be available for purchase from third parties.

Hospira, the FDA and ICS-CERT, which has been facilitating communications between researchers and the manufacturer, said they were not aware of any unauthorized access incidents.

Until replacements for Symbiq infusion systems are deployed, the FDA advises organizations to disconnect the vulnerable devices from the network, but not without taking into account the operational impact (e.g. drug libraries will have to be updated manually).

The FDA’s recommendations also include closing unused ports (Port 20/FTP and Port 23/TELNET), changing default passwords, and monitoring network traffic for potential attacks.

Numerous vulnerabilities have been found in Hospira infusion systems, including a buffer overflow, improper authorization, insufficient verification of data authenticity, hardcoded passwords, improper storage of sensitive information, uncontrolled resource consumption, key and certificate management issues, and the use of vulnerable third party software.

“Hospira has been part of ongoing discussions with the FDA and Department of Homeland Security regarding recent developments around device cybersecurity,” Hospira told SecurityWeek in May. “It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security.”

While there haven’t been any reported incidents, medical device security has been in the spotlight over the past years after researchers demonstrated that the vulnerabilities plaguing such devices can put lives at risk.

Related: Learn more at the ICS Cyber Security Conference