The U.S. FDA has revealed that a set of cybersecurity vulnerabilities, referred to as “URGENT/11,” may introduce risks for medical devices and hospital networks if exploited by a remote attacker. URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such as Wi-Fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment.
These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all.
To date, the FDA has not received any adverse event reports associated with these vulnerabilities. The public was first informed of these vulnerabilities in a July 2019 advisory sent by the Department of Homeland Security. Today, the FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to certain medical devices.
“While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm,” says Amy Abernethy, MD, PhD, FDA’s principal deputy commissioner. “The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them.”
The URGENT/11 vulnerabilities exist in a third-party software, called IPnet, that computers use to communicate with each other over a network. This software is part of several operating systems and may be incorporated into other software applications, equipment, and systems. The software may be used in a wide range of medical and industrial devices. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today.
Security researchers, manufacturers, and the FDA are aware that the following operating systems are affected, but the vulnerability may not be included in all versions of these operating systems:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by GreenHills)
- ThreadX (by Microsoft)
- ITRON (by TRON)
- ZebOS (by IP Infusion)
The agency is asking manufacturers to work with healthcare providers to determine which medical devices, either in their healthcare facility or used by their patients, could be affected by URGENT/11 and develop risk mitigation plans. Specifically, the FDA is recommending that manufacturers conduct a risk assessment, as described in the FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities on medical devices they manufacture and develop risk mitigation plans.
Medical device manufacturers should work with operating system vendors to identify available patches and other recommended mitigation methods, work with healt care providers to determine any medical devices that could potentially be affected, and discuss ways to reduce associated risks.
Some medical device manufacturers are already actively assessing which devices may be affected by URGENT/11 and are identifying risk and remediation actions. In addition, several manufacturers have already proactively notified customers of affected products, which include medical devices such as an imaging system, an infusion pump and an anesthesia machine. The FDA expects that additional medical devices with one or more of the cybersecurity vulnerabilities will be identified.
“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures,” says Suzanne Schwartz, MD, MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health.