×

Citing hacking risk, FDA says Hospira pump shouldn't be used

The federal government says health care facilities should stop using Hospira's Symbiq medication infusion pump because of its vulnerability to hacking.

The Food and Drug Administration said Friday it's the first time it has warned caregivers to stop using a product because of a cybersecurity risk. It comes at a time of rising concerns about breaches of products that connect to the Internet. A week ago, automaker Fiat Chrysler recalled 1.4 million vehicles because of a flaw that made them vulnerable to hackers.

The FDA says the computerized pumps could be accessed remotely through a hospital's network, but it doesn't know of any cases where that has happened. In recent months cybersecurity experts and the Department of Homeland Security have warned that the device could be hacked and remotely controlled, possibly allowing an intruder to change the amount of medication a patient received.

Read More Car hacking: Should you be worried?

Hospira Inc. stopped making Symbiq pumps in 2013 and said it expected most of them would be replaced within two to three years. The Lake Forest, Illinois, company declined to say how many of the products are still in use. The FDA says some third parties still sell Symbiq pumps.

Earlier this year the FDA and the Homeland Security Department's Industrial Control Systems-Cyber Emergency Response Team issued warnings about potential vulnerabilities of Hospira's LifeCare PCA 3 and PCA5 pumps. The company says newer products have additional protection against potential breaches.

The company says its Plum 360 infusion pumps, which went on sale in January, don't have the same vulnerability.

The pumps are computerized and are used to continuously deliver drugs over extended periods. They're used in hospitals, nursing homes and other facilities.

The FDA says health care providers should disconnect the pumps from their networks and update their drug libraries manually — a process the agency warns can be labor intensive and prone to error. It also says unused ports on the device should be closed.

Read MoreAdultery site Ashley Madison hacked, user data leaked

Hospira makes injectable drugs and infusion technologies. In February drugmaker Pfizer Inc. agreed to buy the company for about $15.23 billion, and it expects to complete the deal before the end of the year.

Fiat Chrysler said it would recall about 1.4 million cars and trucks in the U.S. on July 24, days after two hackers revealed that they took control of a Jeep Cherokee SUV over the Internet. The company said the hackers got into the Jeep through an electronic opening in the radio and said it would update software to close it. Fiat Chrysler also said it sealed off a loophole in its internal cellular telephone network with vehicles to prevent similar attacks.

Government safety regulators have started an investigation into the incident.