Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FDA Issues Alert Over Vulnerable Hospira Drug Pumps

The U.S. Food and Drug Administration (FDA) issued an alert on Friday to warn healthcare organizations about the cyber security risks associated with the use of Hospira Symbiq infusion systems.

The U.S. Food and Drug Administration (FDA) issued an alert on Friday to warn healthcare organizations about the cyber security risks associated with the use of Hospira Symbiq infusion systems.

Security flaws in Hospira’s Symbiq drug pumps were uncovered last year by researcher Billy Rios. The expert identified serious vulnerabilities in various infusion systems made by Hospira, including Plum A+, Lifecare PCA, and Symbiq products. The security holes can be exploited to remotely hack the devices and possibly change the dosage they deliver to patients.

Hospira has been working on developing software updates to address the reported vulnerabilities.

The vendor has decided to remove Symbiq infusion systems from the market, and is working with customers to help them deploy alternative products. The company says it has provided healthcare organizations a software update to mitigate vulnerabilities while they transition to new solutions.

The Symbiq infusion system was retired on May 31 and Hospira expects it to be fully removed from the market by the end of the year. The FDA has issued an alert to encourage organizations to stop using the vulnerable product and warn them about the risks.

“The FDA is alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities with this infusion pump. We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps,” the FDA said.

While Hospira is no longer selling Symbiq drug pumps, the FDA says the product might be available for purchase from third parties.

Hospira, the FDA and ICS-CERT, which has been facilitating communications between researchers and the manufacturer, said they were not aware of any unauthorized access incidents.

Until replacements for Symbiq infusion systems are deployed, the FDA advises organizations to disconnect the vulnerable devices from the network, but not without taking into account the operational impact (e.g. drug libraries will have to be updated manually).

The FDA’s recommendations also include closing unused ports (Port 20/FTP and Port 23/TELNET), changing default passwords, and monitoring network traffic for potential attacks.

Numerous vulnerabilities have been found in Hospira infusion systems, including a buffer overflow, improper authorization, insufficient verification of data authenticity, hardcoded passwords, improper storage of sensitive information, uncontrolled resource consumption, key and certificate management issues, and the use of vulnerable third party software.

“Hospira has been part of ongoing discussions with the FDA and Department of Homeland Security regarding recent developments around device cybersecurity,” Hospira told SecurityWeek in May. “It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security.”

While there haven’t been any reported incidents, medical device security has been in the spotlight over the past years after researchers demonstrated that the vulnerabilities plaguing such devices can put lives at risk.

Related: Learn more at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.