The Food and Drug Administration (FDA) has issued an alert regarding cybersecurity vulnerabilities with Hospira’s Symbiq Infusion System.
The Symbiq Infusion System is a computerized pump that provides continuous delivery of infusion therapy primarily used in hospitals and health care facilities. The System communicates with a Hospital Information System (HIS) through a wireless or wired connection over network infrastructures.
However, Hospira and an independent researcher confirmed that the infusion pump could be accessed remotely through a hospital’s network, which could allow for an unauthorized user to control the device and change the dosage settings. This may result in the over- or under-infusion of a patient’s treatment.
Currently, the FDA and Hospira are not aware of any patient adverse events or unauthorized access to the infusion system, but due to cybersecurity concerns, the FDA strongly encourages users to discontinue the use of the pump and transition to alternative infusion systems as soon as possible. The Symbiq Infusion System has been discontinued due to unrelated issues and is not available for purchase. Any purchase of the pumps from a third party is strongly discouraged.
While transitioning to an alternative infusion system, the FDA recommends the following steps to reduce the risk of unauthorized system access:
- Disconnect the affected product from the network.
- Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
- Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443.
- Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.
For more information call (888) 463-6332 or visit FDA.gov.