FDA issues cyber warning for medical devices, hospital networks

The Food and Drug Administration on Tuesday warned patients and providers about a set of 11 cybersecurity vulnerabilities that may pose risks for certain medical devices and hospital networks.

The vulnerabilities—called URGENT/11—exist in IPnet, a third-party software component that supports network communications between computers, according to the FDA.

“URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment,” states the regulatory agency.

In particular, the FDA warned that some versions of the following operating systems are impacted: VxWorks (by Wind River); Operating System Embedded (by ENEA); INTEGRITY (by Green Hills); ThreadX (by Microsoft); ITRON (by TRON Forum); and ZebOS (by IP Infusion).

“Please note the vulnerable IPnet software component may not be included in all versions of these operating systems,” added the FDA’s safety communication.

FDA-building.jpg

Although the FDA said it is not aware of any confirmed adverse events related to the vulnerabilities, the agency warned that the software to exploit these vulnerabilities is publicly available and that the risk of patient harm—if left unaddressed—could be significant.

“These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all,” according to the FDA.

“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction,” said Suzanne Schwartz, MD, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”

The agency urged medical device manufacturers to work with providers to determine which devices might be affected by URGENT/11 and develop risk mitigation plans.

“Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions,” states the FDA. “Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine.”

The agency anticipates that other medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.

For reprint and licensing requests for this article, click here.