You are here
Citing Hacking Risk, FDA Says Facilities Shouldn’t Use Symbiq Infusion Pump
The FDA, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and Hospira are aware of cybersecurity vulnerabilities associated with the Symbiq infusion system, according to a recent announcement. The FDA strongly encourages health care facilities to transition to alternative infusion systems, and to discontinue the use of these pumps.
Hospira and an independent researcher confirmed that Hospira’s Symbiq infusion system could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and to change the dosage that the pump delivers, which could lead to over- or under-infusion of critical patient therapies. The FDA and Hospira are currently not aware of any adverse events or unauthorized access of a Symbiq infusion system in a health care setting.
Hospira has discontinued the manufacture and distribution of the system because of unrelated issues and is working with customers to transition to alternative systems. However, because of recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.
While the Symbiq infusion system is no longer available for purchase through Hospira, the FDA is aware that these infusion pumps are potentially available for purchase from third parties not associated with Hospira. The FDA strongly discourages the purchase of the Symbiq infusion system from these parties.
The FDA is actively investigating the situation based on current information. If new information becomes available about patient risks and any additional steps users should take, the FDA will communicate such information publicly.
The Symbiq infusion system is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. It is primarily used in hospitals or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a hospital information system (HIS) via a wired or wireless connection over facility network infrastructures.
While transitioning to an alternative infusion system, facilities should consider taking the following steps to reduce the risk of unauthorized access to the system:
Disconnect the affected product from the network. CAUTION: Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.
Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET, and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or to close it.
Source: FDA; July 31, 2015.