“Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the Food and Drug Administration warned.
Medical Infusion Pump – Stock image
“Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.”
Fortunately, both the FDA and Hospira note they are “currently not aware” of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting. Nevertheless, the recent cyber security warning illustrates just how quickly security requirements for the health care ecosystem are evolving and posing a major challenge to the industry.
Indeed, Ernest Worthman of Semiconductor Engineering recently described the health care space as “woefully ill-prepared” for a digital Cyber Age.
“This is a rather dismal assessment, considering that the volume of personal health-related data is an order of magnitude greater than the equivalent data in the financial segment and growing rapidly,” he opined. “Within the past couple of years, millions of personal health care records have been leaked. Yet the health care industry is still behind other critical industries in security spending.”
Worthman also noted that most of today’s medical devices integrate reconfigurable embedded systems – many of which are known to be vulnerable to various cybersecurity breaches.
“As interconnected medical devices proliferate and connect via hospital networks, the Internet, other medical, and smart devices, the risk of cybersecurity breaches that could affect how a medical device functions rises dramatically,” he confirmed.
To be sure, a plethora of dedicated medical devices that were previously offline – such as infusion pumps and implantable heart devices – are now being connected to the rapidly evolving IoT. Some are equipped with standard electronic components, exposing unsecured software functionality.
As we’ve previously discussed on Rambus Press, a software-centric security approach for medical devices inevitably requires frequent updates due to unforeseen vulnerabilities. To avoid potentially dangerous scenarios, medical companies should strive to make building strong hardware-based security a primary design goal, rather than depending on patches after a device has already hit the market.