Hospira's infusion pumps have been a recall magnet in recent years. Now, FDA is warning that two of its infusion pumps are vulnerable to hackers. 

By Nancy Crotti

FDA has issued an alert to healthcare facilities that the widely used Hospira (HSP) LifeCare PCA3 and PCA5 Infusion Pump Systemsare is vulnerable to hackers.

The computerized infusion pumps, designed for the continuous delivery of anesthetic or therapeutic drugs, can be programmed remotely through a healthcare facility's Ethernet or a wireless network, according to an FDA statement.

Vulnerabilities in the pumps' software codes could allow a hacker to interfere with the pumps' functioning, an independent researcher found.

"An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies," the agency said.

Hospira has had plenty of FDA-related issues in recent years, including nine Class I-level medical device recalls since the start of 2012. Many of the serious recalls have involved infusion systems.

In the case of the LifeCare's hacking vulnerability, FDA said it is not aware of any harm to patients or unauthorized access to the pumps.

The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), made several recommendations to healthcare facilities on how to protect their systems.

They advised healthcare facilities to perform a risk assessment to identify potential effects of the identified vulnerabilities.

"Use this risk assessment to help determine whether to maintain wireless connectivity between the Hospira LifeCare PCA Infusion Pump System and an isolated portion of your network, establish hard-wired connection between the system and your network, or to remove the system from the network," the guidance says.

Homeland Security also warned that simply disconnecting the pumps will not suffice, and could lead to errors if facilities return to hand-written notes.

Facilities with questions for Hospira may contact the company's Advanced Knowledge Center.

ICS-CERT has been working with Hospira since May 2014 to address the infusion system's  vulnerabilities, according to Homeland Security. Hospira has developed a new version of the PCS Infusion System that addresses the identified vulnerabilities, the department said.

A report by Wired.com details the research showing "that the Hospira systems don't use authentication for their internal drug libraries, which help set upper and lower boundaries for the dosages of various intravenous drugs that a pump can safely administer."

"As a result, anyone on the hospital's network--including a patient in the hospital or a hacker accessing the pumps over the internet--can load a new drug library to the pumps that alters the limits, thereby potentially allowing the delivery of a deadly dosage," the report said.

The Lake Forest, IL-based company's website says its LifeCare PCA infusion pump was designed to help prevent medication errors that commonly arise in patient-controlled analgesia, including an integrated bar code reader to heighten safe delivery.

In a statement to the media, Hospira said it has"taken a proactive approach to address potential cybersecurity vulnerabilities." The company said it has communicated with customers on how to address the vulnerabilities and will continue to do so, in light of FDA and Homeland Security advisories.

The company also said that a hacker would have to first penetrate a hospital's security network before reaching that of an infusion pump, and that "the pumps are designed to ensure only a clinician can start, stop or change an infusion through physical interaction with the pump."

Hospira has put further cybersecurity protections in place in our next-generation LifeCare PCA device and software, which were submitted in December 2014 to FDA for clearance.

No cybersecurity breaches of Hospira devices have occurred in a clinical setting, the company said, adding that theinfusion pumps cited by FDA and Homeland Security are only distributed in the United States and Canada. More than 55,000 LifeCare PCA3 and PCA5 infusion pumps are in use around the world, according to a company spokesperson.

Potential Device Hacking a Growing Problem

ICS-CERT said last October that it was investigating about two dozen cases of suspected medtech cybersecurity flaws. There have been no reported hacking instances, but Homeland Security officials consider the threat great enough to be working with companies to fix security vulnerabilities.

Reuters last year cited a private notice from the FBI alleging that "[th]e healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

In February 2014, news came out that Medtronic, Boston Scientific, and St. Jude Medical had been collectively hacked during the first half of 2013, according to the San Francisco Chronicle.

The newspaper did not disclose its sources, and Medtronic said in an annual SEC filing, "We concluded that the intrusion did not breach any of the databases where we store patient data."

Devices could be compromised, without any reliable proof of who did it, allowing hackers to use legal loopholes to disallow evidence, a device security expert told Qmed last year.

Nancy Crotti is a contributor to Qmed and MPMN.

Like what you're reading? Subscribe to our daily e-newsletter.