Class 1 Recall: Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication
Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication
Mon May 18 2015
Date Issued: May 13, 2015
Audience: Health care facilities using the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems
Devices: Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems
Purpose:
The FDA is alerting users of the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems to security vulnerabilities with these pumps.
Summary of Problem and Scope:
The Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems are computerized infusion pumps designed for the continuous delivery of anesthetic or therapeutic drugs. These systems can be programmed remotely through a health care facility’s Ethernet or wireless network.
The FDA and Hospira have become aware of security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems. An independent researcher has released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning. An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.
The FDA is not aware of any patient adverse events or unauthorized device access related to these vulnerabilities.
Health care facilities can reduce the risk of unauthorized access by implementing the recommendations below.