FDA says healthcare providers to stop using older drug infusion pumps made by Hospira

Food and Drug Administration invited healthcare providers to stop using older drug infusion pumps made by Hospira due to the risk of cyber attacks.

A few months ago security experts highlighted the risks related to the hacking of older drug infusion pumps, we discovered that certain versions of common drug infusion pumps are affected by numerous remotely exploitable vulnerabilities that could not open the doors to hackers.

In 2012 the US Government Accountability Office (GAO) published a report that highlighted the necessity to secure medical devices such as implantable cardioverter defibrillators or insulin pumps. The recommendation was directed to the Food and Drug Administration (FDA) and invited it to approach the problem seriously considering the risks of

In May, experts discovered that specific versions of the Hospira’s Lifecare PCA3 Drug Infusion pumps are affected by a number of vulnerabilities that could be exploited by attackers remotely to completely take over the devices.

The security expert Billy Rios discovered that both the FTP and telnet ports were left open on the Drug Infusion pumps, meanwhile port 8443 is accessible by using default login password.

The US Food and Drug Administration has taken action, the organization has invited healthcare providers to stop using older drug infusion pumps made by Hospira.


“Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” states a safety communication from the FDA.

“Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.”

Hospira confirmed that it is working with affected hospitals to solve the problem and issuing an update that would fix the security issues.

The popular hacker Billy Rios, who discovered the security issues, reported them to the Department of Homeland Security that issued a warning last month. The vulnerable systems are the Symbiq Infusion System and Hospira’s Plum A+ Infusion System, Version 13.4 and prior versions, and Plum A+3 Infusion System 13.6 and earlier models.

Despite Hospira stopped manufacturing the Symbiq Infusion System two years ago, these devices are still in use  in “a limited number of sites.”

“Hospira is continuing to assess cybersecurity across our product line” Hospira said in a statement. “Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,””These measures serve as the primary defense against tampering with medical devices. The cybersecurity protections on infusion pumps add an additional layer of security and play a critical role in providing safe and effective patient care.”

Let me close with the recommendations provided by the FDA to reduce the risk of unauthorized system access:

  • Disconnect the affected product from the network.CAUTION: Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.
  • Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
  • Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase