Questions ABC7 presented to Pfizer after the company declined an on-camera

interview:
1. When you acquired Hospira, were you aware of the cyber security vulnerabiltiews
in the suite of Hospira infusion pumps?
2. What have you done to remedy the security vulnerabilities
3. Have there been patches, firmware or software updates?
4. The FDA actually issued advisories about some of these products. What did Pfizer
do to respond to these warnings meant for hospitals, medical professionals and
consumers?
5. Who is ultimately responsible for the safety of this equipment?
6. Does Pfizer accept any level or responsibility should one of its medical devices,
known to have cyber security vulnerabilities, be hacked and intentionally or
unintentionally used to cause harm or death to a patient?
7. We understand Pfizer and subsidiary, Hospira, has discontinued the manufacturing
of the Symbiq Infusion System. What steps have been taken, if any, to protect
health care institutions, who already own these machines, from being hacked?
8. Has Pfizer or any subsidiary of Pfizer replaced the manufacture of the Symbiq
Infusion System with other systems designed to perform the same tasks?
9. And if so, what steps have been taken to protect those new designs from being
hacked?
10.
What steps have been taken by Pfizer or any subsidiaries to adhere to the
recommendations by the FDA, issued in January 2016, as outlined in the attached
link?
http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm48196
8.htm
11.
Is Pfizer aware of, or had any complaints relative to any patient adverse
events due to any hacking incidents on any machines manufactured by Pfizer or
any subsidiaries?
Pfizers response to the above questions:
Cybersecurity in healthcare devices is an important issue that extends beyond infusion pumps. There
have been advisories issued on cybersecurity across the medical device industry. Exploiting
cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the
hospital information system, including secure firewalls. These measures serve as the primary defense
against tampering medical devices. The cybersecurity protections on infusion pumps add an additional
layer of security.
Supporting safe and effective medication delivery is our priority. There are no known cybersecurity
breaches of Hospira devices in a patient or clinical setting, and we have a dedicated team of internal
and third-party cybersecurity experts working to continue to ensure patient safety. Hospira has worked
with ICS-CERT and the U.S. Food and Drug Administration (FDA) as we have become aware of
reported vulnerabilities. When we have received reports, we've worked with customers to further
strengthen device security.
The Symbiq device that had been a part of the cybersecurity discussion is no longer on market. It was
retired as a result of our 2013 decision to focus on new technology. Our actions to address cybersecurity
in existing and new technology underscores our commitment in this evolving area.