Last Friday, the Food and Drug Administration (FDA) issued a statement warning that certain drug infusion pumps that administer medication to patients are vulnerable to being hacked.  The statement focused on the Symbiq Infusion System (Symbiq) manufactured by Hospira, Inc. Infusion pumps such as Symbiq are used by hospitals, nursing homes and other facilities to continuously administer drugs over extended periods.

This is not the first security issue for the Lake Forest, Illinois, company that is set to be acquired by Pfizer later this year for roughly $17 billion. In June of this year, the FDA and DHS alerted health care facilities of similar security concerns related to a separate Hospira fusion pump system called LifeCare PCA.

Hospira and an independent researcher confirmed that Symbiq could be accessed remotely through a hospital’s network. Remote access could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.

The FDA and Hospira are not currently aware of any patient adverse events or unauthorized access of Symbiq in a health care setting. Nevertheless, the FDA’s statement urged health care facilities to consider taking a number of steps to mitigate the risk. The most drastic step recommended by the FDA is the disconnecting of Symbiq systems from the health care facility’s network, which the FDA noted could impose operational difficulties for facilities. Alternatively, the FDA recommends either closing certain ports or, if the ports are kept open, monitoring all network traffic attempting to reach the Symbiq system over the affected ports.

In 2012, the FDA banned the import of Symbiq pumps manufactured in Hospira’s Costa Rica plant due to uncorrected quality problems. According to a separate advisory issued by the Department of Homeland Security (DHS), Hospira announced in 2013 that Symbiq would be retired in May of this year, and would be fully removed from the market by December 2015.  But, as the FDA notes in its statement, some third parties continue to sell the Symbiq system, and Hospira has not indicated how many Symbiq systems are still in use.

The threats to medical devices, including infusion pumps, are not new. In 2012, the Government Accountability Office (GAO) issued a report recommending, among other things, that the FDA more robustly consider the information security risks posed by intentional threats to medical devices.