FDA Warns Hospitals to Pull Hackable Drug Pump

The US Food and Drug Administration (FDA) has joined the chorus of voices warning hospitals against using a particular type of internet-connected drug infusion pump which hackers could remotely control.

The FDA issued an advisory on Friday about the Hospira Symbiq Infusion System v3.13 and earlier, following a Department of Homeland Security ICS-CERT warning on the system back in June.

It explained:

“Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies. The FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting.”

As a result, the FDA said: “we strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.”

The independent researcher mentioned was Billy Rios, who was namechecked in the ICS-CERT advisory which also flagged Hospira’s Plum A+ Infusion System (v13.4 and earlier) and Plum A+ 3 Infusion System (v13.6 and earlier) as affected.

That report listed a wide range of vulnerabilities in the products including wireless keys stored in plain text; use of hard-coded passwords; a stack-based buffer overflow; and root privileges given to unauthorized users.

These featured CVSS scores ranging from 4.6 to the maximum of 10.0, with all but two exploitable by an attacker with “low skill,” according to the advisory.

Symbiq manufacturer Hospira claimed the products listed are only in “limited use” in the US and Canada, and that since 2013 – about the same time manufacturing ceased for these models – its global device strategy has foregrounded security.

It added the following in a statement:

“After evaluating reported vulnerabilities, we are communicating with customers at the limited number of sites where Symbiq remains in use. We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place. This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months.”

The case highlights once again the dangers posed by unsecured “smart” devices, as the Internet of Everything continues to expand and seep into every corner of our lives. 

What’s Hot on Infosecurity Magazine?