The all new
CBS News App for Android® for iPad® for iPhone®
Fully redesigned. Featuring CBSN, 24/7 live news. Get the App

U.S. officials warn medical devices are vulnerable to hacking

Last Updated Aug 4, 2015 2:23 PM EDT

The federal government is warning about a medical device that could be tampered with by hackers.

The FDA and Department of Homeland Security issued a statement that "strongly encourages" health care facilities to discontinue the use of Hospira's Symbiq infusion pump after officials learned the devices are vulnerable to cybersecurity threats.

The medical device company confirmed that the computerized pumps -- which continuously deliver medication over an extended period -- could be accessed remotely through a hospital's network. This could potentially allow an unauthorized user to control the device and change the dosage of medication the pump delivers to a patient.

The FDA says there have not been any reports of such unauthorized access to a Symbiq Infusion System in a health care setting. That's the good news, says CBS News national security analyst Juan Zarate, "but the risk is there."

Zarate says he's concerned "the vulnerabilities are incredibly widespread as the 'Internet of Things' connects more and more devices, more and more of our systems.... The reality that devices have embedded computer systems that can be potentially accessed, can be infected with malware, and if those systems are connected to hospital systems, it really does create a set of vulnerabilities to our health care system that authorities are now warning about."

medical-device-hacking-risk.jpg
Hospira Symbiq medical infusion pump (right).
KPIX-TV

CBS San Francisco reports the concerns were first brought to light by cybersecurity expert Billy Rios, who discovered that attacks could be launched remotely on patients using the device by accessing a hospital's network.

"By design, you're allowing it to where someone else can control this thing remotely and do things to the pump, or do things to the device or equipment," Rios told the station. "You could basically log into this device with no user name and no password."

Hospira stopped making the Symbiq infusion pump in 2013 due to unrelated issues, and is now working with customers to transition to alternative systems.

"After evaluating reported vulnerabilities, we are communicating with customers at the limited number of sites where Symbiq remains in use," the company said in a statement. "We have worked with them to deploy an update to the pump configuration to close access ports and put additional cybersecurity protections in place. This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months."

Officials strongly advise hospitals and other healthcare facilities to make the transition as soon as possible.

The FDA says that the Symbiq Infusion System may still be for sale from third parties not associated with Hospira and strongly discourages the purchase of the pumps from these outlets.

Hospira says it will continue to work with the FDA to report any new information regarding cybersecurity threats, potential risks to patients and any additional steps that could be taken to protect them.

  • Ashley Welch On Twitter»

    Ashley Welch covers health and wellness for CBSNews.com