Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



FDA Issues Alert Over Vulnerable Hospira Drug Pumps

The U.S. Food and Drug Administration (FDA) issued an alert on Friday to warn healthcare organizations about the cyber security risks associated with the use of Hospira Symbiq infusion systems.

The U.S. Food and Drug Administration (FDA) issued an alert on Friday to warn healthcare organizations about the cyber security risks associated with the use of Hospira Symbiq infusion systems.

Security flaws in Hospira’s Symbiq drug pumps were uncovered last year by researcher Billy Rios. The expert identified serious vulnerabilities in various infusion systems made by Hospira, including Plum A+, Lifecare PCA, and Symbiq products. The security holes can be exploited to remotely hack the devices and possibly change the dosage they deliver to patients.

Hospira has been working on developing software updates to address the reported vulnerabilities.

The vendor has decided to remove Symbiq infusion systems from the market, and is working with customers to help them deploy alternative products. The company says it has provided healthcare organizations a software update to mitigate vulnerabilities while they transition to new solutions.

The Symbiq infusion system was retired on May 31 and Hospira expects it to be fully removed from the market by the end of the year. The FDA has issued an alert to encourage organizations to stop using the vulnerable product and warn them about the risks.

“The FDA is alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities with this infusion pump. We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps,” the FDA said.

While Hospira is no longer selling Symbiq drug pumps, the FDA says the product might be available for purchase from third parties.

Hospira, the FDA and ICS-CERT, which has been facilitating communications between researchers and the manufacturer, said they were not aware of any unauthorized access incidents.

Until replacements for Symbiq infusion systems are deployed, the FDA advises organizations to disconnect the vulnerable devices from the network, but not without taking into account the operational impact (e.g. drug libraries will have to be updated manually).

The FDA’s recommendations also include closing unused ports (Port 20/FTP and Port 23/TELNET), changing default passwords, and monitoring network traffic for potential attacks.

Numerous vulnerabilities have been found in Hospira infusion systems, including a buffer overflow, improper authorization, insufficient verification of data authenticity, hardcoded passwords, improper storage of sensitive information, uncontrolled resource consumption, key and certificate management issues, and the use of vulnerable third party software.

“Hospira has been part of ongoing discussions with the FDA and Department of Homeland Security regarding recent developments around device cybersecurity,” Hospira told SecurityWeek in May. “It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security.”

While there haven’t been any reported incidents, medical device security has been in the spotlight over the past years after researchers demonstrated that the vulnerabilities plaguing such devices can put lives at risk.

Related: Learn more at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet