Last week FDA issued a warning to patients, healthcare providers and facilities, and device manufacturers about cybersecurity vulnerabilities that could enable remote control of a device to change its function, cause denial of service or cause information leaks or logical flaws that could prevent its function, according to an FDA alert. The 11 vulnerabilities, coined “URGENT/11”, were identified by security researchers and are present in IPnet, a third-party software component that supports computer-to computer network communication. Although the software might not be supported by the original software vendor, FDA states that some manufacturers still have a license that enables use without vendor support. The agency states that the following operating systems could be vulnerable: VxWorks by Wind River; Operating System Embedded by ENEA; Integrity by Green Hills; ThreadX by Microsoft; ITRON, by TRON; and ZebOS by IP Infusion.
Adverse events related to this vulnerability have not been reported, but software exploiting the vulnerabilities is publicly available. “While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant,” said Suzanne Schwartz, M.D., deputy director of the Office of Strategic Partnerships and Technology Innovation in CDRH in an FDA release. “It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”
According to the FDA’s press announcement, some medtech manufacturers are in the process of determining whether their devices are impacted by URGENT/11 and have alerted customers of vulnerable products, including an anesthesia machine, imaging system and infusion pump.