FDA Warning Highlights Cybersecurity Threats in Medical Device Industry

The US Food and Drug Administration (FDA) has released a warning to healthcare facilities, cautioning them against using Hospira’s (NYSE:HSP) Symbiq Infusion System.
The Industrial Control Systems Cyber Emergency Response Team, a division of the US Department of Homeland Security, recently concluded that the system, which delivers general infusion therapies directly into the bloodstream, could be vulnerable to cyber attacks.
Typically used in hospitals, as well as acute and non-acute health facilities (such as nursing homes and outpatient care centers), the Symbiq Infusion System delivers medications to large patient populations. The main benefit of the system is its ability to wirelessly communicate with hospital information systems. Because the system is centralized and computerized, it cuts down on human error when giving patients the correct medication dosage.
However, that strength is also the system’s greatest weakeness. The FDA warning claims that the Symbiq Infusion System’s wireless capabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
That said, neither the FDA nor Hospira has reported any past cybersecurity issues with the system. Furthermore, Hospira has already stopped manufacturing the Symbiq Infusion System for unrelated reasons. It’s perhaps for those reasons that the FDA warning doesn’t appear to have hurt the company’s share price, which was trading near its 52-week high of $89.68 on Tuesday afternoon. 

A vital industry to protect

Cybersecurity threats in the medical device industry are of acute importance to manufacturers and healthcare professionals. Unlike other industries, where money or personal data may be on the line, in the medical device industry people’s lives could be at stake in the event of a cyber attack.
As cybersecurity expert Billy Rios told WWMT-TV, “normally what has to happen is we have to wait for someone to be killed and that’s not a good position to be in. We don’t want someone to have to die for them to become a data point in order for us to make a decision.”
Luckily, it seems the medical device industry is starting to take a more proactive approach to the issue. Reuters reported that this is the first time the FDA has cautioned healthcare providers against a medical device due to potential cybersecurity vulnerabilities. The move may herald a new era in which prevention, rather than damage control, is paramount in cybersecurity.
 

Securities Disclosure: I, Morag McGreevey, hold no direct investment interest in any company mentioned in this article.

Related reading: 
What is Cybersecurity Investing?
What is Medical Device Investing?