Pharmacy, Nursing, Risk Manager, Engineering
The FDA and Hospira have become aware of security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems. An independent researcher has released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning. An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies. The FDA is not aware of any patient adverse events or unauthorized device access related to these vulnerabilities.
The FDA is actively investigating the situation based on current information and close engagement with Hospira and the Department of Homeland Security. As new information becomes available about patient risks and any additional steps users should take to secure these devices, the FDA will communicate publicly.
The Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems are computerized infusion pumps designed for the continuous delivery of anesthetic or therapeutic drugs. These systems can be programmed remotely through a health care facility’s Ethernet or wireless network.
Recommendations for Health Care Facilities:
- Follow the recommendations from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S.Department of Homeland in the May 13, 2015 Advisory Hospira LifeCare PCA Infusion System Vulnerabilities (Update A).
- Perform a risk assessment by examining the specific clinical use of the Hospira LifeCare PCA Infusion Pump System in your organization’s environment to identify any potential impacts of the identified vulnerabilities.
- Look for and follow risk mitigation strategies outlined in an upcoming letter from Hospira to its customers. Customers can access the instructions and other risk mitigation measures via Hospira’s Advanced Knowledge Center.
- Follow the good cybersecurity hygiene practices outlined in the FDA Safety Communication Cybersecurity for Medical Devices and Hospital Networks, posted in June 2013