Malicious actors are looking at every possible avenue to exploit so they can achieve their goals. These vulnerabilities are no longer contained to movie plots, but can be actively exploited, which is why the FDA has issued unprecedented alerts over medical device cyber security risks (emphasis added):
Fortunately, the FDA noted that neither it nor Hospira are currently aware of any patient adverse events or unauthorized access of one of these systems in a health care setting. Hospira posted a statement about “Infusion Device Cybersecurity” on its own website, which can be found here, in which it stated that “there are no known instances of cybersecurity breaches of Hospira devices in a clinical setting.” Hospira also remarked that in order to exploit the cybersecurity vulnerabilities, a hacker would also have to penetrate “several layers of network security enforced by the hospital information system, including secure firewalls.” In other words, the hospital also has responsibility for providing cybersecurity.
Both the FDA and ICS-CERT stated that the manufacturer has already retired the product, due to unrelated issues. Nonetheless, the FDA urged hospitals to transition to other infusion systems as soon as possible: “we strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps”. In addition, although the particular product is in limited use in North America, the FDA is wary of the secondary market for pre-owned medical devices. Accordingly, the FDA “strongly discourages the purchase of the Symbiq Infusion System” from resellers.