FDA: Infusion Pumps Have VulnerabilitiesWarning Describes Security Flaws in Certain Hospira Devices
Security vulnerabilities in certain infusion pumps manufactured by Hospira could allow an unauthorized user to alter the dose the devices deliver, the Food and Drug Administration warns.
The announcement comes at a time when the FDA and other agencies have been calling attention to medical device security issues. For example, the FDA issued a medical device security guide last October offering voluntary guidelines (see: FDA Issues Medical Device Security Guide).
See Also: DevOps - Security's Big Opportunity
The FDA announced the warning about Hospira Lifecare PCA3 and PCA5 infusion pump systems on May 13. The computerized systems, designed for the continuous delivery of anesthetic or therapeutic drugs, can be programmed remotely through a healthcare facility's Ethernet or wireless network.
"An independent researcher has released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump's function," the FDA says. "An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies."
The FDA notes, however, that it's not aware of any adverse events or unauthorized device access tied to the vulnerabilities identified.
An FDA spokesman declined to comment beyond what was included in the agency's statement, and Hospira did not immediately reply to a request for comment.
The FDA made a series of recommendations for reducing the risks posed by the vulnerabilities. Among them are:
- Perform a risk assessment by examining the clinical use of the pump systems to identify any potential impacts of the identified vulnerabilities. Use this assessment to help determine whether to maintain wireless connectivity between the pump system and an isolated portion of your network, establish a hard-wired connection between the system and your network or remove the system from the network.
- Follow recommendations in the recent advisory from the Industrial Control Systems Cyber Emergency Response Team. Those include such steps as isolating the pump system from the Internet and untrusted systems and maintaining layered physical and logical security practices for environments operating medical devices.
- Follow good cybersecurity hygiene practices as outlined in the FDA Safety Communication, Cybersecurity for Medical Devices and Hospital Networks;
- Look for mitigation strategies to be outlined in a letter from Hospira to its customers, along with risk mitigation measures in the company's Advanced Knowledge Center.
The FDA says it's investigating the situation in collaboration with Hospira and the Department of Homeland Security and will provide updates about any additional steps users should take to secure the devices.
A Call to Action
Back in October, White House Cybersecurity Coordinator Michael Daniel said medical device manufacturers need to do a better job of baking cybersecurity into the development of their products, just as manufacturers in other industries consider potential safety concerns in their designs.
"I think it goes back to some of the root design of just making cybersecurity one of the design features included in any [medical] device or product, the same way we have incorporated electrical security into all of our appliances," Daniel said at an FDA workshop. "We have worked very hard at baking that safety feature into the system. ... I think we're going to have to apply a lot of the same principles we have learned in the safety area into the cybersecurity area."
And in a recent interview, security expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, said that despite the growing attention that federal regulators have been giving to medical device cybersecurity over the last two years, many healthcare organizations still neglect those devices in their risk management and compliance programs. "A lot of hospitals we see don't include these devices as part of their compliance programs," he said. "We are seeing a lot of uptick in awareness of medical devices, but making sure they're in the scope of security programs and compliance programs is a must at this point."