8/31/2015
How Concerned Is FDA Over Cybersecurity? Look To Hospira ­ Law360
Portfolio Media. Inc. | 860 Broadway, 6th Floor | New York, NY 10003 | www.law360.com
Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com
How Concerned Is FDA Over Cybersecurity? Look
To Hospira
Law360, New York (August 31, 2015, 11:53 AM ET) ­­ On July 31,
2015, the U.S. Food and Drug Administration issued a
cybersecurity alert to health care facilities currently using certain
infusion pumps manufactured by Hospira Inc. The alert warns
health care facilities about security vulnerabilities in Hospira's
Symbiq Infusion System (Version 3.13 and prior) that could allow
unauthorized access to the device and interfere with the device's
proper functioning. The Hospira device communicates with a
health care facility's network and information systems to control
dosage delivery. According to the alert, an unauthorized user
could potentially access the Hospira device remotely and alter
the dosage it delivers, which could lead to overinfusion or
underinfusion of critical patient treatments. The FDA strongly
encourages health care facilities to transition to alternative
infusion systems and discontinue use of this particular Hospira
infusion pump.
William R. O'Connor
Other Hospira infusion pump systems, including the LifeCare PCA3 and PCA5 infusion pump
systems, reportedly contain similar vulnerabilities. The FDA did not address these other
Hospira devices in its most recent cybersecurity alert and has not recommended their use
be discontinued; however, the FDA did warn of similar security vulnerabilities in these
devices in an alert issued on May 13, 2015.
Thus, health care facilities using the devices mentioned in the May alert should also
seriously consider transitioning to other infusion pump systems and should exercise caution
when selecting replacement devices.
This is the first time the FDA has recommended discontinuing use of a specific medical
device based on cybersecurity concerns. The fact that the FDA issued a device­specific
cybersecurity alert indicates both the seriousness of the vulnerabilities in the Hospira
devices and the FDA's seriousness in addressing cybersecurity issues.
Besides transitioning to secure infusion pump systems, the FDA alert has other implications
for health care facilities and medical device manufacturers.
The security vulnerabilities in the Hospira devices could be life­threatening if exploited by a
person with malicious intent. Because of the serious threat to patient safety presented by
these security vulnerabilities and the FDA's seriousness in addressing cybersecurity issues,
health care facilities should review their information security programs and take
appropriate measures to address the vulnerabilities identified in the FDA alert and to ensure
their information security programs are comprehensive and up to date.
http://www.law360.com/articles/696325/print?section=health
1/4
8/31/2015
How Concerned Is FDA Over Cybersecurity? Look To Hospira ­ Law360
Likewise, medical device manufacturers should analyze their existing products for security
vulnerabilities, assist their customers with addressing vulnerabilities by providing security
patches or replacement products (if necessary) and ensure that, going forward,
cybersecurity is an integral part of the product development life cycle.
Medical device manufacturers should take the FDA’s warning seriously and safeguard
against cybersecurity vulnerabilities in future products by carefully considering possible
cybersecurity risks while designing products and having a plan to manage system or
software updates for those products.
Fortunately for manufacturers, on Oct. 2, 2014, the FDA issued guidance designed to
strengthen the safety of medical devices. The guidance makes recommendations to
manufacturers for managing cybersecurity risks to better protect patient health and
information. More specifically, the guidance, “Content of Premarket Submissions for
Management of Cybersecurity in Medical Devices,” recommends that manufacturers:
Develop a set of cybersecurity controls to assure medical device cybersecurity and
maintain medical device functionality and safety.
Consider cybersecurity risks as part of the design and development of a medical
device by establishing design inputs for the device related to cybersecurity, and
establishing a cybersecurity vulnerability and management approach as part of the
required software validation and risk analysis, which should address:
1. identification of assets, threats and vulnerabilities;
2. assessment of the impact of threats and vulnerabilities on device functionality
and end users/patients;
3. assessment of the likelihood of a threat and of a vulnerability being exploited;
4. determination of risk levels and suitable mitigation strategies; and
5. assessment of residual risk and risk acceptance criteria.
Submit documentation to the FDA about the risks identified and controls in place to
mitigate those risks.
Submit plans for providing patches and updates to operating systems and medical
software.
Health care facilities and providers should also take the FDA's warning seriously because a
medical device cyberattack that results in harm to a patient would almost certainly cause
reputational harm and have adverse legal and financial consequences. Thus, health care
facilities and providers should seriously consider medical device issues in their Health
Insurance Portability and Accountability Act compliance programs. Information security
officers should take action to ensure they have physical, technical and administrative
safeguards in place to protect against these types of threats.
Examples of recommended actions to take to protect against such threats include, but are
not limited to:
http://www.law360.com/articles/696325/print?section=health
2/4
8/31/2015
How Concerned Is FDA Over Cybersecurity? Look To Hospira ­ Law360
Obtaining a thorough understanding of the medical devices that connect to the
computer systems and networks, and anticipating potential threats and
vulnerabilities.
Creating policies, procedures and contingency plans for preventing or minimizing
damage from cyberattacks and maintaining critical functionality.
Creating policies and procedures for securely integrating medical devices into a
health care facility's electronic infrastructure, as well as securely removing such
devices.
Employing good design practices that include network segmentation, properly
configured firewalls and monitoring traffic among systems and devices within the
organization for unauthorized use.
Conducting regular risk assessments of the organization's computer systems and
networks, including medical devices.
Disabling wireless connectivity for as many devices as possible.
Restricting unauthorized access to the organization's computer systems, networks and
network­connected medical devices.
Keeping software, firmware and operating systems up to date on all systems and
devices.
Closing all unnecessary ports and disabling all unnecessary services on all systems
and devices.
Contacting the medical device manufacturer if you think you have a cybersecurity
problem with a medical device.
Conducting employee cybersecurity training.
Health care facilities and providers that have Hospira infusion systems containing the
above­mentioned security vulnerabilities should consider taking the following actions to
reduce the risk of unauthorized access while transitioning to an alternative infusion system:
Disconnect the device from the network. Caution: Disconnecting the device from the
http://www.law360.com/articles/696325/print?section=health
3/4
8/31/2015
How Concerned Is FDA Over Cybersecurity? Look To Hospira ­ Law360
network will impact operations and will require drug libraries to be updated manually,
which can be labor­intensive and prone to entry error.
Ensure that all unnecessary ports are closed, including port 20 (FTP) and port 23
(telnet).
Monitor all network traffic attempting to reach the device via port 20 (FTP), port 23
(telnet) and port 8443.
Contact Hospira's technical support to change the default password used to access
port 8443 or close port 8443.
Given the seriousness of the vulnerabilities in the Hospira devices and the FDA's apparent
seriousness in addressing cybersecurity issues with medical devices, health care facilities
and medical device manufacturers would be well­advised to review their existing practices
and implement the measures suggested above to mitigate cybersecurity risks with existing
and future medical devices.
—By William R. O'Connor, Baker Donelson Bearman Caldwell & Berkowitz PC
William O'Connor is a certified information privacy professional and a member of Baker
Donelson Bearman Caldwell & Berkowitz's privacy and information security team in the
firm's Memphis, Tennessee, office.
The opinions expressed are those of the author(s) and do not necessarily reflect the views
of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates.
This article is for general information purposes and is not intended to be and should not be
taken as legal advice.
All Content © 2003­2015, Portfolio Media, Inc.
http://www.law360.com/articles/696325/print?section=health
4/4