Symbiq Infusion Systems Have Cybersecurity Vulnerabilities, FDA Warns

Hospira’s Symbiq computerized drug infusion pump may have cybersecurity weaknesses, potentially allowing hackers to manipulate the device, according to federal regulators. 

The FDA issued a safety communication on July 31, warning that the agency, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and Hospira have identified that the Symbiq Infusion System has exploitable cybersecurity vulnerabilities.

Officials warn that the device could potentially be hacked and remotely controlled, including ordering the device to provide deadly drug overdoses to patients.

The Hospira Symbiq Infusion System is used in hospitals, nursing homes and outpatient healthcare facilities, providing a continuous delivery of different infusion therapy. The system involves a computerized pump that can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.

According to the FDA, the vulnerabilities were discovered by Hospira and an independent researcher, who determined that the device could be accessed maliciously through a hospital’s network.

No actual hacking events have been reported, and the Symbiq is no longer in production for other reasons, unrelated to the cypersecurity flaw. However, the FDA is calling for hospitals to stop using pumps still in circulation and to transition to alternative infusion systems due to the risk of hacking.

In the meantime, the devices should be disconnected from the network, and unused ports should be closed, according to FDA warnings. In addition hospital employees should monitor and log all network traffic trying to reach the infusion pumps via Port 20/FTP, Port 23/TELNET and Port 8443.

Hospitals still using the pumps should contact Hospira’s technical support on how to change the default password for access to Port 8443 or close it.

The alert follows a similar warning issued in May over the Hospira LifeCare PCA3 and PCA5 infusion pump systems.

Medical Device Cybersecurity Concerns

Concerns regarding insulin pump security problems were first raised in August 2011, at the Black Hat security conference in Las Vegas. That was followed by a demonstration in 2012 by a McAfee, Inc. research architect, who showed attendees at the RSA security conference how hackers could remotely access some pumps from up to 300 feet away.

The problems were first highlighted by Jerome Radcliffe, another McAfee employee, who has since worked with ICS-CERT to push drug pump vendors to address the problem seriously.

ICS-CERT started investigating cybersecurity flaws in the medical equipment nearly three years ago. Traditional thinking believed the products only needed to be protected from unintentional hacks, now they believe intentional hacks must be guarded against as well. The group is looking at Hospira drug pumps, as well as implantable heart devices manufactured by Medtronic, Inc. and St. Jude Medical.

In October 2014, the FDA issued final guidance on the cybersecurity of medical devices. The guidance suggested ways that manufacturers should handle security concerns surrounding new technology used in medical devices.

The FDA also called on manufacturers to consider hacks during the initial design of medical devices, asking manufacturers to inform the agency about potential risks and how to handle them.

In 2013, the FDA urged medical device manufacturers to take new measures to increase cybersecurity. The FDA safety warning called on health care facilities and manufacturers to take steps to safeguard their networks and information before and attack occurs. The recommendations included, conducting security software updates, install patches and refraining from uncontrolled distribution of passwords.