The Food and Drug Administration (FDA) has issued a safety alert to users of the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems to warn of security vulnerabilities with the programmable pumps. The Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems are computerized infusion pumps designed to continuously deliver anesthetic or therapeutic drugs. They can […]
The Food and Drug Administration (FDA) has issued a safety alert to users of the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems to warn of security vulnerabilities with the programmable pumps.
The Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems are computerized infusion pumps designed to continuously deliver anesthetic or therapeutic drugs. They can be programmed remotely through a health care facility’s Ethernet or wireless network. The FDA and Hospira have become aware of security vulnerabilities in the Hospira pump systems. An independent researcher has released information about these vulnerabilities, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning.
An unauthorized user could access the pump remotely and modify the drug dosage, which could lead to over- or under-infusion of critical medications. In the alert, the FDA said it is not aware of any patient adverse events or unauthorized device access related to these vulnerabilities.
The FDA advises health care facilities to take the steps described below to reduce the risk of unauthorized access. These recommendations come from an advisory from the Department of Homeland Security in the May 13, 2015 Advisory Hospira LifeCare PCA Infusion System Vulnerabilities (Update A).
The FDA advises facilities to perform a risk assessment to identify potential vulnerabilities. The facility should determine whether to maintain wireless connectivity between the pumps and an isolated portion of the network, establish hard-wired connection between the system and the facility’s network, or remove the system from the network.
The FDA warns that disconnecting the device will require manual updates of drug libraries and data that is normally transmitted to MedNet from the device will not be available. Manual updates to each pump can be labor intensive and prone to entry error.
Hospira is preparing a letter to customers with risk mitigation strategies to follow. Customers can access the instructions through Hospira’s Advanced Knowledge Center. The FDA recommends that health care facilities follow good cybersecurity practices outlined in the FDA Safety Communication Cybersecurity for Medical Devices and Hospital Networks (June 2013), including restricting unauthorized access to the network and networked devices; keeping antivirus software and firewalls up to date; and monitoring the network for unauthorized use.