Medical Device Makers Have No More Cybersecurity Excuses

FDA just gave all medical device makers a major reason to prioritize hacking defenses. The agency has called for health care facilities to stop using Hospira's Symbiq Infusion System because of "cybersecurity vulnerabilities."

Marie Thibault

If they didn't already take the threat of medical device hacking seriously enough, device manufacturers surely have a reason to care now—FDA has highlighted one company's product for "cybersecurity vulnerabilities" and warned customers to quit using it.

Late last week, FDA issued a safety communication on Hospira's Symbiq Infusion System to "strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps."

Of course, this isn't the first warning about the Symbiq Infusion System, which was already on its way off the market. Hospira announced in May 2013 that it would retire the Symbiq system, along with some of its other infusion pumps, as part of its strategic business plan. A July 21, 2015 updated advisory from the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) notes that Hospira planned to retire Symbiq on May 31, 2015 with full market removal by December 2015.

According to the FDA safety communication, the company and an independent researcher—named as well-known cybersecurity expert Billy Rios in the ICS-CERT communication—found that someone could use a hospital network to access the Symbiq Infusion System. "This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," the communication notes. 

The company and agency don't know of any hacking or patient problems as a result of this vulnerability.

As MD+DI editor in chief Jamie Hartford wrote earlier this year, the medtech industry doesn't seem to be taking the threat of cyberattacks seriously enough, given the lack of reader interest in cybersecurity articles. As one expert in Hartford's piece pointed out, a big reason for this lackadaisical approach may be that device makers haven't yet had to face a direct problem due to cybersecurity. 

An FDA directive to stop use of a medical device is as direct a call to action as almost anything, save an injured or dead victim of a device cyberattack. 

Will this FDA safety communication be the first of many, or will it serve as a strong enough warning to other medical device companies? That remains to be seen.

 

Learn about the latest medical device technologies at the MEDevice San Diego conference and exposition, September 1–2, 2015.

Marie Thibault is the associate editor at MD+DI. Reach her at marie.thibault@ubm.com and on Twitter @medtechmarie

 [Image courtesy of SHEELAMOHAN/FREEDIGITALPHOTOS.NET] 

Filed Under
500 characters remaining