FDA Investigates Cybersecurity Issues with Infusion Pump Systems

The FDA is actively investigating vulnerabilities identified in Hospira’s LifeCare PCA3 and PCA5 infusion pump systems.

These computerized pump systems are designed for the continuous delivery of anesthetic or therapeutic drugs and can be programmed remotely through a health care facility’s Ethernet or wireless network.

If the systems’ software codes and other identified susceptibilities are exploited, an unauthorized user could interfere with the pumps’ functioning and possibly modify the drug dosage it delivers, which could lead to over- or under-infusion of critical therapies.

Currently, the FDA is not aware of any adverse effects or unauthorized device access related to these security issues.

While it works with the Department of Homeland Security and Hospira to determine the extent of the vulnerabilities, the FDA is advising health care facilities to:

• Perform a risk assessment by examining the specific clinical use of the Hospira LifeCare PCA Infusion Pump System to identify any potential impact of the identified vulnerabilities.
• Look for and follow risk mitigation strategies outlined in an upcoming letter from Hospira to its customers. Customers can access the instructions and other risk mitigation measures via Hospira’s Advanced Knowledge Center.
• Follow the good cybersecurity hygiene practices outlined in the FDA Safety Communication Cybersecurity for Medical Devices and Hospital Networks.