In an unprecedented move, the federal government is warning health care facilities to stop using a popular drug pump that NBC 5 Investigates first warned you about two weeks ago, because of a cybersecurity risk.
The Symbiq drug infusion pump made by Hospira, in Lake Forest, Illinois, was designed to protect patients from receiving the wrong dose of drugs. But security researchers say the popular medical pump could be hacked – to potentially give a patient a deadly dose of drugs.
“What we are talking about is being able to remotely take over an IV pump,” said security researcher Billy Rios.
Rios showed NBC5 Investigates how the computerized pump – which is used in hospitals all over the world – could be manipulated remotely through a hospital’s network.
“This could be used to hurt somebody, unequivocally, we’ve already demonstrated that,” said Rios.
A Hospira spokesperson told us at the time of the original report that “there are no known instances of cybersecurity breaches of Hospira devices in a clinical setting.”
Additionally, we were told the pump was being “removed from the market.” And that the company was working with the FDA and DHS on “vulnerabilities in our infusion pumps.”
Two weeks after our investigation aired, the federal government issued this warning to hospitals, nursing homes and health care facilities to “discontinue use of these pumps.”
Hospira stopped making Symbiq pumps in 2013 – they say because of unrelated issues. But the pumps are still being used in health care facilities. And NBC 5 Investigates found a number of third parties still selling the Symbiq pumps.
“These are very serious issues,” Rios said.
The FDA recommends health care providers disconnect the pumps from their networks and update their drug libraries manually – a process that can be labor intensive and prone to error.
A Hospira company spokesperson tells us she expects the device to be fully retired from the market by the end of the year.