The U.S. Food and Drug Administration has issued an alert advising hospitals, nursing homes, and other medical care centers to stop using the Symbiq Infusion System of intravenous pumps, which deliver IV medications with dosages programmed over a hospital’s wireless network.
As the FDA’s release says: “The FDA, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and [pump manufacturer] Hospira are aware of cybersecurity vulnerabilities associated with the Symbiq Infusion System. FDA strongly encourages health care facilities transition to alternative infusion systems, and discontinue use of these pumps. Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network.”
If a hacker did gain such illicit remote access, it would be trivially easy to change the programmed drug doses, with results that could be harmful or even fatal to patients. However, the FDA stressed that thus far, there’s no evidence any hackers actually have taken advantage of this although “due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.”
Healthcare hacking poses major problem
Those unnamed “recent cybersecurity concerns” surely refer to the near-constant stream of major hacking or security-breach stories dominating the news nowadays. A look at the past year’s medical-themed breaches alone (as opposed to retail credit card breaches, thefts of sensitive government data, the discovery that various cars are easily hackable and so on) includes the hacking of a for-profit hospital network operating in 29 states (4.5 million patient records compromised); hackings of the Anthem, Premera Blue Cross and CareFirst BlueCross/Blue Shield health-insurance networks (over 92 million patient records compromised in all), and last month’s announced hacking of UCLA Health in California (4.5 million patient records compromised).
In May, shortly after news of the CareFirst hacking broke, but before the public knew about the UCLA Health hacking, security researchers writing for the Dark Reading security blog went so far as to suggest that “escalating healthcare attacks threaten U.S. healthcare systems …. Imagine a hostile nation-state with your psychiatric records. Or an organized crime ring with your child’s medical file. Or a disgruntled employee with your medical insurance information.”
Nor is it difficult to imagine the damage which a hostile nation-state, organized crime ring, disgruntled employee, or any random hacker could do if it had remote control of the IV systems administering medications to various patients.
Hospira has stopped manufacturing or selling Symbiq IV pumps, and said it is working with hospitals to apply software updates intended to prevent remote access to pumps still in use.