FDA: Cybersecurity Vulnerabilities Identified With Certain Medical Devices, Hospital Networks

The Food and Drug Administration (FDA) has issued an alert regarding a set of cybersecurity vulnerabilities that may potentially introduce risks for certain medical devices and hospital networks. 

Security researchers have determined 11 vulnerabilities, referred to as “URGENT/11”, that may potentially allow an unauthorized user to take control of a facilities’ medical network leading to denial of service, information leaks or change of function. The third-party software, called IPnet, is part of several operating systems incorporated into a variety of medical and industrial devices that could be vulnerable to a breach in cybersecurity.

According to the FDA’s cybersecurity postmarket guidance, manufacturers are recommended to work with their respective healthcare providers to conduct a risk assessment on potentially impacted medical devices and to develop risk mitigation plans. Some manufacturers associated with the IPnet software have started assessing their medical devices and have notified their customers regarding  impacted products (ie, imaging systems, infusion pumps, anesthesia machines).

Security researchers, manufacturers and the FDA have determined the following operating systems may be affected, however some versions may not include the vulnerability:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by GreenHills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON)
  • ZebOS (by IP Infusion)

“While advanced devices can offer safer, more convenient and timely healthcare delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm,” said Amy Abernethy, MD, PhD, FDA’s principal deputy commissioner. “The FDA urges manufacturers everywhere to remain vigilant about their medical products – to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them.”

Related Articles

Healthcare providers are advised to notify patients of potentially impacted medical devices. Additionally, the FDA recommends healthcare facility staff, including IT staff, use “firewalls, virtual private networks (VPN), or other technologies that minimize exposure to URGENT/11 exploitation.” 

Adverse events associated with these products should be reported to the FDA’s MedWatch Program.

For more information visit fda.gov.