FDA warns of security vulnerabilities in infusion pumps

Vulnerabilities in computerized infusion pumps could allow unauthorized users to gain access to the devices and modify the doses they deliver, according to a warning from the U.S. Food and Drug Administration.

The Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems deliver anesthetic or therapeutic drugs to patients and can be programmed through a hospital's wired or wireless network, according to the FDA.

Infusion pumps by Hospira also were part of an investigation in October 2014 of medical devices and hospital equipment by the U.S. Department of Homeland Security. DHS expressed concerns that the tools could be activated remotely and at the time said it was working with manufacturers to identify and repair software bugs and vulnerabilities.

The FDA said it currently is "not aware of patient adverse events or unauthorized device access related to these vulnerabilities."

FDA recommendations for health systems that use these devices include the following:

  • Close Port 20/FTP and Port 23/TELNET and any other unused ports on the infusion pumps.
  • Isolate the device from Internet and untrusted systems.
  • Maintain security practices for environments operating the pumps.
  • Perform a risk assessment by examining the specific clinical use of the device.

Cybersecurity in medical devices can not be seen as an afterthought, many in the industry have said. Security should be built into such tools, according to health IT analyst Shahid Shah.

"Security and data privacy should be elevated to ... competitive differentiator status," he said. "Many device manufacturers will treat security as a compliance activity bolted on at the end--those designers will end up creating insecure devices that will get their customers' data hacked or stolen, and land their customers on the front pages of newspapers."

To learn more:
- here's the FDA warning