A security loophole in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems could be exploited and put patients at risk, the FDA announced on May 13. According to an alert on the agency’s website, the vulnerability could allow a third party to access the pump remotely and modify the programmed dosage through a hospital’s ethernet connection or wireless network, leading to over- or under-infusion of therapeutic drugs. The agency says it is working closely with Hospira and the Department of Homeland Security and will release additional information as it becomes available.

In the meantime, the FDA recommends healthcare facilities take a number of precautions, including the following.

  • Follow the recommendations listed in the May 13, 2015 advisory Hospira LifeCare PCA Infusion System Vulnerabilities (Update A) from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
  • Perform a risk assessment to review the clinical applications of the Hospira infusion pumps and identify the impact of the reported vulnerabilities. Facilities should consider whether to maintain wireless connectivity, transfer the device to a hard-wired connection, or remove the device from their network.
  • Follow the risk mitigation strategies outlined in a forthcoming letter from Hospira. Customers can access more information at Hospira’s Advanced Knowledge Center.
  • Follow the good cybersecurity hygiene practices outlined in the FDA’s June 2013 safety communication,  Cybersecurity for Medical Devices and Hospital Networks

A detailed summary of the safety alert is also available on the FDA website.