Medical device security vulnerabilities prompt FDA alert

By Government Health IT Staff
01:21 PM
Share

The U.S. Food and Drug Administration issued an alert last week recommending that health care facilities take steps to reduce security vulnerabilities in drug infusion pumps made by Hospira.

FDA said information has been publicly released about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning.

“As a result, an unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies,” the FDA alert said.

The alert relates to health care facilities using the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The FDA said facilities can reduce the risk of unauthorized access by implementing the recommendations issued by U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Those recommendations include closing specific ports on the pumps, isolating the pumps from their Internet connection and untrusted systems, maintaining existing security practices and network segmentation, and performing risk assessment.

The alert followed a notice May 13 from the ICS-CERT warning of the vulnerability. The notice said an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability had been identified in Hospira’s LifeCare PCA Infusion System. The vulnerabilities could allow an attacker to remotely modify LifeCare PCA Infusion pump, alerting medication libraries and pump configuration, ICS-CERT said in its alert.

In November 2014, the FDA published nonbinding guidance recommending best practices for securing medical devices. The guidance was issued after an October 2014 report that the Department of Homeland Security was investigating 24 medical manufacturers, including Hospira, was security flaws in medical devices.

ICS-CERT said Hospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities.