Home FDA Warns Healthcare Providers and Manufacturers About Cybersecurity Vulnerabilities in Hospira PCA3 and PCA5 Infusion Pumps

FDA Warns Healthcare Providers and Manufacturers About Cybersecurity Vulnerabilities in Hospira PCA3 and PCA5 Infusion Pumps

Jun 18, 2015 11:34 CST Updated 11:34
Heshirui’s drug infusion pumps pose safety risks; downstream manufacturers should be aware of safety vulnerabilities in their products. — FDA


I previously wrote an article about the harm caused by hacker attacks. I believe that with the development of technology, hacker attacks in the field of internet healthcare will persist and become increasingly severe. The FDA has recently issued warnings regarding communication security in internet healthcare.

Specialized Medical Instruments


The two drug infusion pumps warned by the FDA are PCA3 and PCA5. These computer-controlled drug infusion pumps are primarily used to administer anesthetics and related therapeutic medications to patients, and can be remotely controlled via Ethernet and wireless networks. Consequently, the FDA has raised concerns and questions about the security of this communication method:

The FDA and Hesui have recognized security vulnerabilities in the company’s healthcare products, PCA3 and PCA5. A third-party researcher released information regarding these vulnerabilities, including software code that poses inherent risks when utilized. Unauthorized users could gain access to the system and compromise the automated drug delivery function of the infusion pump. In the event of malicious intrusion, unauthorized individuals could remotely control drug administration and alter dosage levels, leading to potentially severe and unpredictable consequences.

The FDA stated that no adverse events have occurred to date due to security vulnerabilities or “unauthorized device access.” However, this serves as a reminder for healthcare institutions to ensure cybersecurity during operations, as outlined in the 2013 “FDA Safety Communication and Conference on Cybersecurity for Medical Devices and Hospital Networks.”

The above warnings contain information that is highly valuable to both digital medical device manufacturers and healthcare institutions.

Recommendations for Manufacturers

Manufacturers must remain vigilant against cyber risks and the harms posed by hacking incidents related to medical devices, including cybersecurity-related risks, and are responsible for taking appropriate measures to address patient safety concerns and ensure the safe and proper operation of the devices. —FDA

The FDA expects medical device manufacturers to minimize the risk of unauthorized access to medical devices by implementing a series of appropriate measures. Specifically, the FDA emphasizes that manufacturers should review the cybersecurity and related security policies of their products to ensure the safe use of medical devices, thereby preventing unauthorized users from gaining control of the devices, altering device settings, or posing security threats to hospital networks. The level of security controls for a device is determined by its functions, intended use environment, types and likelihood of risks, and the severity of harm to patients should a threat materialize.

In this regard, the following issues should be considered when evaluating the company's products:


  • Control unauthorized users' access to devices, especially for life-support equipment and devices that can directly connect to the hospital network.


  • Precise safety control mainly includes:


  1. User identity verification, such as user ID, password, smart card, or biometric authentication


  2. Enhance password strength to prevent the use of hardcoded passwords


  3. Strictly limit external access to passwords for technical equipment, such as through physical locks, card readers, and security personnel.


  • Prevent the development of individual components; develop security protection policies suitable for device use, which should include timely deployment procedures and the use of security patches and methods capable of restricting software or firmware updates. The FDA believes that although it is interested in the promulgation of these recommendations and policies, it generally does not need to review or approve modifications to medical device software made solely for security upgrades.


  • Fail-Safe Mode: The device maintains its essential medical functions even when subjected to security threats.


  • Compromised and attacked devices can autonomously recover and self-correct.


Cybersecurity incidents are becoming increasingly prominent; enterprises and vendors need to consider corresponding response mechanisms to reduce the likelihood of system crashes and improve the efficiency of automated system recovery. —— FDA


lock


Safety and Security Protection in Healthcare Institutions

The FDA recommends that hospitals and healthcare sectors take the following steps in their anti-hacking protocols:


  • Restrict unauthorized access to internal networks and networked medical devices.


  • Regularly update and maintain antivirus software and firewalls.


  • Monitor network activity and restrict the use of any unauthorized devices.


  • Protect personal network components through regular and periodic assessments, including updating security patches and disabling all unnecessary ports and services.


  • If relevant cybersecurity issues are detected, contact the specific device manufacturer to report the security vulnerability and seek their assistance in resolving the issue.


  • Develop and evaluate the fail-safe modes of devices under abnormal operating conditions.


In the past, hospital hygiene and safety meant traditional cleaning methods and sanitation protocols to prevent the spread of infectious diseases. Now, facilities must also develop cyber hygiene protocols, which may seem less worrisome.

However, I believe this warning from the FDA serves as a timely reminder that while digital health and digital medical devices bring us benefits, they are also highly vulnerable to cyberattacks. This translates into increased safety risks for both patients and physicians, and everyone should pay close attention to these security alerts.

Original Author: Holly Bridges Compiled by: Xing Zhaopeng Editor: Mo Renying

Related Reading:Five Key Points to Reduce Medical Data Security Vulnerabilities
Medical Data Security Is Like a Box of Chocolates
Infographic: The Importance of Data Security in Population Health Management
30 Most Notable Healthcare Startups to Watch in 2015 TrueVault: Mastering HIPAA Compliance, Focusing on Healthcare Data Security