The U.S. Food and Drug Administration (FDA) has issued a safety communication warning of security vulnerabilities with the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. These systems are computerized pumps that deliver continuous anesthesia or therapeutic drugs. They can be controlled remotely via wireless network or Ethernet.
The safety communication, dated May 13th, states that certain security vulnerabilities exist that could allow an outside part to interfere with the pump’s functioning. This could result in dosages that are too high or too low. “An independent researcher has released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning. An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.” the FDA notification said. No adverse events have been linked to this issue so far.
The FDA is making several recommendations to health care facilities in order to minimize security vulnerabilities with the pump systems. This includes closing unused ports, isolating the system from your internet and untrusted systems, using interrogation techniques and other methods such as maintaining “layered physical and logical security practices for environments operating medical devices” and implementing “good design practices that include network segmentation. Use properly configured firewalls to selectively control and monitor traffic passed among the systems within your organization.” The agency also advises a risk assessment to determine whether to remove the system from the network or not.
The notification cautions that drug libraries will need to be updated manually if the device is disconnected. Additionally, data that is normally transmitted to MedNet from the device will no longer be available.