Hackers could change patients’ medicine dosages with vulnerable device, FDA warns

What’s scarier than having to check into the hospital? Checking into the hospital knowing that the device controlling your medication can be taken over by hackers.

This concern has prompted the U.S. Food and Drug Administration to instruct hospitals and medical workers to stop using a patient-care device because it can be hacked and programmed to administer too much or too little medication, the Associated Press reports.

The FDA and an independent cybersecurity research team discovered a flaw in the Hospira Symbiq Infusion System that could allow an attacker to infiltrate the system remotely through a hospital’s network, gaining complete control of a patient’s dosages. The Hospira Symbiq Infusion System is used by medical workers to program automatic dosages of medicine like painkillers.

“The FDA and Hospira are currently not aware of any patient adverse events.”

The FDA said the devices should be disconnected immediately, and hospitals should monitor all the traffic attempting to connect with the affected product. 

“The FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting,” the FDA said in a statement.

This is the first time the FDA has ever warned medical practitioners against using a medical product due to the risk of hacking. 

The FDA said that while these devices aren’t available for purchase through Hospira, some third-party providers are still selling them. According to the AP, these aren’t the only devices with the flaw; Hospira’s Plum 360 pumps, which launched earlier this year, are also vulnerable to hacking.

Although this is the first time the FDA has warned against a product on cybersecurity grounds, the risks associated with connected devices have existed for years in hospitals that neglect to lock down security of everything ranging from medicine pumps to proper computer passwords.

One 2014 analysis of 100 of hospitals across the Midwest found a troubling pattern: Healthcare facilities were using a number of technologies connected to internal networks or to the Web that could easily be manipulated by hackers, including defibrillators meant to start or stop hearts. Wired described the findings:

A wide cross-section of devices shared a handful of common security holes, including lack of authentication to access or manipulate the equipment; weak passwords or default and hardcoded vendor passwords like “admin” or “1234″; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.

The FDA’s announcement comes just after Fiat Chrysler recalled 1.4 million cars because of a massive vulnerability that let hackers take control of a vehicle. Researchers could even disable the car while going 70 miles-per-hour on the highway.

H/T AP | Photo via norfolkdistrict/Flickr (CC BY 2.0)

Selena Larson

Selena Larson

Selena Larson is a technology reporter based in San Francisco who writes about the intersection of technology and culture. Her work explores new technologies and the way they impact industries, human behavior, and security and privacy. Since leaving the Daily Dot, she's reported for CNN Money and done technical writing for cybersecurity firm Dragos.