The FDA issued guidance to help health care facilities protect against security vulnerabilities found in two computerized drug infusion pumps manufactured by Hospira, AHA News reports (AHA News, 5/14).

Background

Last year, news broke that the Department of Homeland Security was investigating possible vulnerabilities in about 24 medical devices, including Hospira's drug infusion pumps.

Officials said that there had been no documented instances of medical device hacking at the time.

Meanwhile, FDA last year issued non-binding guidance on the types of security features that should be included in new medical devices (iHealthBeat, 11/26/14).

Details of New Guidance

FDA's most recent guidance follows a report from an independent researcher detailing how vulnerabilities with two Hospira pump systems' security could allow hackers to interfere with their normal functions.

The guidance relates to Hospira's LifeCare PCA3 and PCA5 Infusion Pump Systems, which can be programmed remotely via wireless or Ethernet connections.

FDA said it is not aware of any instances in which unauthorized access to the pumps has caused adverse events. However it has issued recommendations to reduce the risk of hacking (AHA News, 5/14).

The guidance includes suggestions, such as:

• Following the cybersecurity best practices outlined in FDA's 2013 cybersecurity guidance; and
• Performing risks assessments of the devices (FDA guidance, 5/13).