The U.S. Food and Drug Administration on Friday advised hospitals not to use Hospira Inc’s Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take remote control of the system.
The agency issued the advisory some 10 days after the U.S. Department of Homeland Security warned of the vulnerability in the pump, which is used to deliver medications directly into the bloodstream of patients.
The FDA and DHS cited research from independent cyber security expert Billy Rios, who found that remote attacks could be launched on patients by accessing a hospital’s network.
Both the FDA and DHS said they know of no cases where such an attack has been launched, but the FDA said in its advisory that it strongly encouraged healthcare facilities to stop using the Symbiq infusion pump system and move to other devices.
This vulnerability could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies
It was the first time the FDA has advised healthcare providers to discontinue use of a medical device because of a cyber-security vulnerability.
The FDA said Hospira had previously discontinued the manufacture and sales of the Symbiq system for reasons not related to the cyber vulnerability, but that they were still in use and being sold by third parties.