The US Food and Drug Administration (FDA) has advised hospitals not to use Hospira’s Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take remote control of the system
The FDA issued the advisory after the US Department of Homeland Security (DHS) warned of the vulnerability in the pump, which is used to deliver medications directly into the bloodstream of patients.
The FDA and DHS cited research from independent cyber security expert Billy Rios, who found that remote attacks could be launched on patients by accessing a hospital's network.
Both the FDA and DHS said they know of no cases where such an attack has been launched.
However, the FDA said in its advisory that it strongly encouraged healthcare facilities to stop using the Symbiq infusion pump system and move to other devices.
In a warning the FDA said: "This could allow an unauthorised user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies."
It is the first time the FDA has advised healthcare providers to discontinue use of a medical device because of a cyber-security vulnerability.
Hospira is working with Symbiq customers to deploy a software update that closes access ports to the pump and includes other cyber-security protections.
In a statement Hospira said: "This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months."
It said that it was also working with customers of its LifeCare PCA and Plum A+ infusion devices with advice on how to mitigate cyber-security vulnerabilities.
John Halamka, chief information officer with Boston's Beth Israel Deaconess Medical Center, said "They [manufacturers] need to re-engineer their devices with security built in."
The FDA's warning came as industry and government regulators are placing unprecedented attention on public safety risks posed by cyber vulnerabilities in products with embedded computers.