In an unprecedented move, the FDA told hospitals to stop using Hospira's ($HSP) Symbiq Infusion System because it can be remotely accessed by hackers, allowing the unauthorized user "to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies."
"This is the first time the FDA has encouraged the transition to other products because of a cybersecurity-related vulnerability," agency spokeswoman Angela Stark told FierceMedicalDevices in an email.
The agency's statement marks another step to patrol the cybersecurity of medical devices, an issue that has long bedeviled Hospira's infusion pumps in particular, though the FDA is is not aware of any real-world instances of unauthorized access or cyberattacks on Symbiq patients.
Hospira discontinued sale of the Symbiq for unrelated reasons, though the model is still in use and potentially available commercially via third-party vendors. The FDA banned the importation of the pump in November 2012 following an inspection of its Costa Rica manufacturing facility and issuance of a warning letter.
But other Hospira infusion pumps have been the target of FDA cybersecurity warnings as well, thanks to the work of independent researchers like Billy Rios, who identified the most recent vulnerability.
|LifeCare PCA Infusion System--Courtesy of Hospira|
His research led the FDA and Department of Homeland Security to warn of similar concerns regarding Hospira's LifeCare PCA3 and PCA5 infusions pumps in May. Those models are still on the market. The feds recommended software upgrades and risk-mitigation measures but did not call on use of those devices to be discontinued.
About a month later Rios wrote in a blog post that other Hospira pumps are also affected and said "we have yet to see a single fix for the issues affecting the PCA 3," leading to criticism from cybersecurity expert Kevin Fu, who told FierceMedicalDevices in a June email that Hospira executives are "shameful" and "in denial about cybersecurity risks."
Since the FDA published its cybersecurity guidance, some companies are taking the issue seriously, others are unsure how to, "and then at the very bottom, there are a small number of companies such as Hospira that I've never seen participate at the cybersecurity standards meetings like the other manufacturers, and in my opinion their executives are in shameful denial about cybersecurity risks. You can tell someone that their fly is down, but denial just means we can still see your junk," Fu wrote in the email.
In response to the latest cybersecurity issue, Hospira said on its website that "We are communicating with customers at the limited number of sites where Symbiq remains in use. We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place."
The public is concerned about the potential for a malicious hacker to exploit a vulnerability such as this one on a specific individual. But the majority of cybersecurity threats are more ubiquitous and widespread in nature, for example, malicious computer viruses that target all hardware, including medical devices, Fu said at a cybersecurity event in March.
Still, Fu is worried that a targeted attack might lead patients to stop using devices all together, which would make them vulnerable to other, far more likely risks, e.g., a heart attack, saying in March, "I think it would be a real tragedy if we are not able to give patients confidence to accept the recommendations of their physicians."
The FDA's most recent statement against the Symbiq infusion pump was foreshadowed by a July 21 warning by the Department of Homeland Security's cyber emergency response team.
Hospira will soon become part of Big Pharma company Pfizer ($PFE), after it agreed in February to be taken over for about $16 billion. Pfizer is most interested in Hospira's emerging biosimilar business but has said Hospira's infusion pumps and related consumables differentiate it from the competition.