Whitepaper: Dr. Rushanan explains Best Practices for Ensuring Secure… Read Now

Thought Leadership

The 2015 FDA Cybersecurity Alert That Shaped the Medical Device Industry

The FDA’s 2015 cybersecurity alert on the Hospira Symbiq infusion pump marked a turning point in medical device safety and launched a new era of regulatory oversight.
medical 10 year

It could be reasonably argued that the medical device cybersecurity industry was born in August of 2015, when the FDA issued its first ever cybersecurity alert for a medical device. The device that triggered that alert was the Symbiq drug infusion pump by the erstwhile manufacturer Hospira. The pump was reported to be vulnerable to a buffer overflow attack, which if successfully executed could give an attacker root access to the device, allowing the clinical functions of the pump to be altered or stopped entirely. It was the FDA response to this vulnerability and the tremendous publicity it received that abruptly transformed the medical device industry, establishing cybersecurity as a new, critical component of medical device safety. And it was this alert that would launch both a new set of regulatory standards and the medical device cybersecurity industry as we know it today.

At the time of this event, Harbor Labs was led by Dr. Avi Rubin, who in addition to serving as Chief Scientist was also the Director of the Health and Medical Security (HMS) Lab at Johns Hopkins University. Dr. Rubin had recently testified before US Congress on medical cybersecurity, and as a direct result of his testimony at these hearings Hospira selected Harbor Labs to analyze the Symbiq vulnerability and develop a remediation plan.

The effort was led by Dr. Mike Rushanan, who had himself received his PhD through the JHU HMS lab under Dr. Rubin, and today serves as the Harbor Labs Chief Scientist. Dr. Rushanan and the Harbor Labs staff were able to recreate the attack that produced the buffer overflow, writing their own custom input injector and shellcode. Then, working with the manufacturer, Harbor Labs developed the security patch needed to eliminate the vulnerability. The device was soon thereafter approved to resume clinical sales.

The publicity and market impact the Symbiq episode would have on Harbor Labs would shape the future of the company. With the distinction of being the cybersecurity consultants that rescued a medical device from a critical vulnerability and returned it to the market, Harbor Labs was put at the forefront of the burgeoning medical cybersecurity consulting industry. Over the coming years, Harbor Labs would benefit from this pioneering reputation, partnering with many of the medical device industry’s most prominent manufacturers on their cyber policies and regulatory submissions, and working with regulators to help shape the constantly evolving regulatory landscape. It was that critical roll played by Harbor Labs as the medical device industry was first forming in 2015 that would put the company on the trajectory to the market-leading position we enjoy in the industry today.

About the Author

  • Nick Yuran, CEO, professional headshot
    CEO

    Nick Yuran is the CEO of Harbor Labs. After a career in US intelligence, Nick entered private industry and today applies those experiences in national security to the cyber disciplines he manages at Harbor Labs. As a serial entrepreneur, Nick has led several companies to successful exits, including companies in the satellite, enterprise networking, and cybersecurity markets. His most recent exit was the merger of a medical Internet of Things cybersecurity technology company, and he remains a strong advocate in the medical and healthcare IT security industry today. Nick holds a BA in Slavic Languages from the University of Arizona, and a MS in Telecommunication Engineering from George Washington University.

THOUGHT LEADERSHIP

More From Harbor Labs Experts

Your Project’s Success Starts with a Conversation

Contact Us