FDA: Discontinue Use of Flawed Infusion PumpsAgency Cites Cybersecurity Concerns in its Warning
For the first time, the Food and Drug Administration has issued a warning urging healthcare organizations to discontinue the use of a family of medical devices due to cybersecurity issues and transition to other products.
In a July 31 safety communication, the FDA says healthcare providers using the Hospira Symbiq Infusion System, Version 3.13 or older, are "strongly encouraged" to transition to alternative infusion systems and discontinue use of these pumps due to cybersecurity vulnerabilities.
"Hospira and an independent researcher confirmed that Hospira's Symbiq Infusion System could be accessed remotely through a hospital's network," the FDA notes in its statement. "This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies."
The FDA and Hospira are not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a healthcare setting, the FDA statement says. "Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems," the FDA says. "However, due to recent cybersecurity concerns, the FDA strongly encourages healthcare facilities to begin transitioning to alternative infusion systems as soon as possible."
The warning about the Symbiq line of infusion pumps from Hospira follows a warning the FDA issued in May about another line of Hospira pumps - the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. However, in that earlier warning, healthcare providers were instructed to take several steps to address the problem, including isolating the Internet-facing devices on a separate network (see FDA: Infusion Pumps Have Vulnerabilities). The FDA, however, stopped short of advising organizations to drop use of these products.
This new call for discontinuing use of the Symbiq line of Hospira infusion pumps is far more dramatic. "This news is big because it means FDA will intervene in the marketplace if a cybersecurity vulnerability puts patient safety at risk," says medical device expert Kevin Fu, associate professor of the electrical engineering and computer science department at the University of Michigan.
"Boards of directors across the globe will likely have cybersecurity come-to-Jesus moments today," he says. "Cybersecurity has been largely ignored by many device manufacturers, and I wouldn't be surprised if there are dozens more of these warnings coming. Many medical device manufacturers have been asleep at the wheel with cybersecurity. This is what we call a 'technology debt.'"
Healthcare providers need to immediately assess their medical device inventory to see if they have any of these Hospira devices in use, even in their in smallest facilities, Fu urges.
"Healthcare organizations need to do their due diligence, because if something happens [to a patient affected by these devices], there are huge liability issues," he says.
Security and privacy attorney Kirk Nahra of the law firm Wiley Rein portrays medical device concerns as "tremendously challenging." He adds: "They are a true 'cyber' risk rather than a more traditional data security risk, because it isn't the personal information that is really at risk, but the direct health of the patient. It puts a burden on providers to have confidence in what they are suggesting for patients - and to always question when a device company says their product is 'HIPAA compliant'."
If a patient is harmed because of the use of one of these devices, Nahra says, "for any lawsuits, everyone involved is likely to get sued, so this is a real challenge for everyone that may create real impediments to new - and potentially useful- healthcare technology" looking ahead."
Even though the FDA has been issuing voluntary guidance to the healthcare sector over the last two years to encourage medical device makers to build cybersecurity into the designs of their products, big change isn't likely to happen soon, Fu says. That's because the design cycles for medical devices is long.
"This will take multiple years, maybe 10 year or more, to see fundamental differences in the focus on cybersecurity in the design of these products," he predicts.
An FDA spokeswoman tells Information Security Media Group, "In an increasingly interconnected world, cybersecurity of medical devices is a growing concern and one that the FDA is focused on addressing. If and when any other safety communications become necessary, the FDA will make the information publicly available."
Independent researcher Billy Rios, who last year discovered security vulnerabilities in Hospira medical infusion pumps, says the earlier warnings from FDA this year was specific to the Hospira PCA3 and PCA5 models. However those same vulnerabilities are also present in the Hospira Symbiq infusion pump line that's now the focus on the new warning, he tells ISMG.
The discoveries by Rios also prompted the Department of Homeland Security to issue an advisory about the Hospira Symbiq infusion pumps on July 21.
That DHS warning says: "Independent researcher Billy Rios identified a vulnerability in Hospira's Symbiq Infusion System, which can be exploited to remotely control the device, in conjunction with previously identified vulnerabilities. ... Hospira has provided compensating measures to help mitigate risks associated with this vulnerability. As previously announced by Hospira in 2013, the Symbiq Infusion System would be retired on May 31, 2015, and will be fully removed from the market by December 2015."
Rios, contends, however, "None of the issues listed in the FDA or DHS advisory have been addressed by the vendor. They have implemented one-off mitigation for a few customers, but nothing widespread or comprehensive. In fact, the public mitigation advice given by Hospira is technically incorrect; they asked customers to close the incorrect port. Despite [Hospira] public statements that they 'take cybersecurity very seriously,' I think it's indicative of how serious they really take it," he says.
As for the FDA's latest warning, "This is the first time I've seen such a strong statement," Rios says. "I applaud the FDA for taking this step. The alternative is to wait for a patient death."
In a statement provided to ISMG, Hospira says: "In alignment with Hospira's cybersecurity roadmap, we've designed our next-generation infusion systems with enhanced network security protections in place."
Regarding how many Symbiq infusion pumps are currently in use in the U.S. and worldwide, "as a matter of course, we don't break out individual product numbers," Hospira says.
"It's also important to note that there are no known instances of cybersecurity breaches of Hospira devices in a clinical setting, and we have a team of internal and external experts working hard so this remains the case," Hospira adds.
The latest warning by the FDA is also an acknowledgement of the growing threat that hackers pose to the healthcare sector, especially in light of recent cyberattacks on healthcare providers, including UCLA Health.
"The healthcare sector is very attractive for attack since it deals with critical embedded systems that can create a large amount of press," notes Ryan Kastner, a professor in the Department of Computer Science and Engineering at the University of California, San Diego. "These systems hold a lot of valuable confidential information - patient data, personal information, etc." This data is so valuable "because it can be sold in a black market and used for identity theft types of crime," he adds. "Perhaps even scarier is the integrity of these devices. An attack can be deadly. This brings a lot of attention and press, which is often what attackers are looking to gain."
As for "new ways in" to healthcare networks, "attackers always go for the weakest link," he says. "There has been more focus on protecting hospital networks recently, and little focus on the medical devices themselves. So if this trend continues, then inevitably the devices will become the 'easiest way in'."