25% off all training courses Offer ends June 26, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends June 26, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Hospital Drug Pump Hacking Risk Discovered

Posted By on Aug 6, 2015

In addition to having to deal with the threat to electronic health records from hackers, hospitals must also be wary of attacks on their medical devices; as evidenced by a new Food and Drug Administration (FDA) warning over a drug pump hacking risk that exists with Hospira’s Symbiq drug pump.

Symbiq Drug Pump Hacking Risk Warning Issued by FDA

 

Only a few days ago, two hackers discovered it was possible to hack into the onboard computers of Fiat Chrysler automobiles and take control of the vehicle; now patient’s plugged into the Symbiq drug pump could potentially be at the mercy of malicious hackers.

Such is the severity of the Symbiq drug pump hacking risk, on Friday last week the FDA issued a warning to all hospitals using the device, instructing them to retire the devices and make the transition to other, more secure drug infusion pumps.

In the meantime the FDA recommended that healthcare providers should “disconnect the pumps from their networks and update their drug libraries manually.” Since the vulnerability can be exploited via unused ports on the devices, the FDA also recommended blocking all unused open ports on the devices.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Should hackers manage to exploit the security vulnerability, it would be possible to change the dosage of administered drugs, resulting in patients receiving less medication than required or overdosing; potentially placing the lives of patients at risk.

Independent Researcher Confirms High Risk of Attack via Wireless Networks

 

While the hacking risk certainly exists, to date the FDA has received no reports of the devices actually being hacked, or of any patients coming to harm as a result of the security vulnerability; however, with such a serious vulnerability existing it is only a matter of time before a criminal causes a patient to come to harm. It is also possible to exploit the vulnerability to gain access to a healthcare network, and the confidential patient health information that is stored. The devices are particularly susceptible to attack via wireless networks, according to an independent cybersecurity researcher.

Hospira no longer manufacturers the Symbiq device; but there are still a number of units being used in U.S hospitals. A Hospira spokesperson responded to the FDA warning saying, “We are communicating with customers at the limited number of sites where Symbiq remains in use,” the spokesperson went on to say “We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place.”

The FDA press release confirmed the latest security vulnerability has been communicated to both Homeland Security and the Federal Bureau of Investigation.

A Number of Issues Discovered with Hospira Medical Devices

 

This is not the first Hospira drug pump hacking risk that has been reported. Earlier this year, the FDA and Homeland Security’s Industrial Control Systems’ Cyber Emergency Response Team identified security vulnerabilities with the company’s LifeCare PCA 3 and PCA5 drug administration pumps. Also, in 2012, imports of Hospira devices from the company’s Costa Rica plant were banned in the U.S due to a number of quality issues with the devices, although those issues have since been rectified and importation of the devices has recommenced.

Hospira has responded to the FDA and Homeland Security by saying its newer devices have been manufactured with additional protections to counter the device hacking risk, and that its latest Plum 360 infusion pumps do not have the same vulnerability as the Symbiq range.

Major Medical Device Hacking Risks

 

Earlier this year, TrapX Labs, an independent research team of TrapX Security, identified a number of medical device hacking risks, which hackers were trying to exploit to gain access to computer networks. Any electronic device that is connected to a healthcare computer network is a potential point of entry for hackers; hospitals must therefore keep abreast of the latest cybersecurity bulletins and warnings and take action to secure their devices. Failure to do so could result in the loss or exposure of Protected Health Information, or patients coming to serious harm.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist