FDA tells hospitals: Stop using these hackable medication pumps now

Medication doses could be changed remotely, agency says

FDA on Friday said health care providers should stop using a certain medication infusion pump because it is vulnerable to hacking—marking the first time the agency has recommended facilities stop using a device because of cybersecurity concerns.

After a researcher proved that Hospira's Symbiq medication pump could be hacked, the agency warned that the device could be accessed remotely and an attacker could "control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies."

FDA said that while it does not know of any cases of the device being hacked, it "strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible."

Hospira stopped manufacturing Symbiq in 2013, but FDA says the pumps are still sold by some third parties. Hospira declined to say how many of the devices are still in use.

NEJM: When hackers attack a hospital

FDA and the Department of Homeland Security also issued a warning about potential vulnerabilities in Hospira's LifeCare PCA3 and PCA5 pumps earlier this year.

In a statement, Hospira said its newer pumps have additional cybersecurity protections. The company also said it is working with providers to "deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place" (AP/ New York Times, 7/31; Armstrong, Bloomberg Business, 7/31; Finkle, Reuters, 7/31).

Next in the Daily Briefing

Fontana: What you need to know about the IPPS rule changes

Read now