An FDA alert issued last Friday warns that a common medical device that regulates medicine in intravenous drips is vulnerable to hackers. The federal agency strongly encouraged health care facilities to “discontinue use” of the Symbiq medical pumps made by Hospira because of “cybersecurity vulnerabilities” first exposed by a Bay Area security researcher.
The pumps are designed to deliver medicine intravenously to prevent patients from getting incorrect dosages. They connect wirelessly to a hospital’s network. According to security experts, that’s where hackers can take control of the device.
“There’s patient lives at stake here,” said security researcher Billy Rios. The decorated Marine captain now runs a private research company based in Half Moon Bay. For the past 12 years, Rios has worked on cyber security projects for the US Department of Defense, Google, and Microsoft. But last year, Rios’ research hit close to home when he was rushed to the emergency room at a Bay Area hospital.
“I had what’s called a CSF [cerebrospinal fluid] leak, which is basically brain fluid leaking out of my nose,” Rios said.
As he recovered from surgery, Rios said he noticed the patient next to him was hooked up to a Symbiq medical pump, made by Hospira. It was the same type of device Rios had studied for security flaws.
“It was kind of a scary moment,” Rios said.
In a video he shared with NBC Bay Area, Rios demonstrated a takeover of the Symbiq pump as part of a security experiment, showing how he could remotely control the machine and change the amount of medicine it delivered.
The security vulnerability could affect a large number of patients.
“Most patients are continuously receiving intravenous fluids or medications through an IV,” Dr. Bradley Knight, Director of the Heart Rhythm Program at Northwestern Memorial Hospital, said.
“Almost anybody in a hospital could be harmed if you change the rate of infusion or you change the maximum amount a person could administer of a narcotic,” Knight said.
Rios said the Symbiq is one of five pumps made by Hospira that are vulnerable to hackers. After receiving Rios’ video, the FDA issued an alert in May warning hospitals about two of the five pumps, the LifeCare PCA3 and PCA5 Infusion pump systems.
Now the FDA is warning users of the Hospira Simbiq Infusion system. The Associated Press reports that this is the first time the FDA has warned caregivers to stop using a product because of cyber security issues.
Hospira declined to say how many of its pumps are currently in clinical settings, but the company told NBC Bay Area the Symbiq will be “removed from the market” by the end of the year. In a written statement, a company spokesperson said, “there are no known instances of cybersecurity breaches of Hospira devices in a clinical setting."
"We’d like to reiterate," said Hospira spokesperson Tareta Adams, "that we have worked with customers to deploy an update to the Symbiq pump configuration and put enhanced cybersecurity protections in place while the device remains in the market for the next few months."
Hospira provided a lengthy list of “how to address the vulnerabilities” in hospitals that still have devices. These fixes ranged from using network firewalls to disconnecting the devices from the internet.
It’s little consolation to cyber security expert and former patient Billy Rios: “The Nintendo Wii should not be more secure than an infusion pump,” Rios said. “They make devices that can be used to kill people. They’re network connected devices,” emphasized Rios. “At the end of the day when you take one of these things apart it’s a computer. They have a responsibility to make sure the software is secure.”