The FDA issued an “Urgent Safety Communication” on October 1, 2019 regarding cybersecurity vulnerabilities that “may introduce risks for certain medical devices and hospital networks.”
While stating it was unaware of any confirmed adverse events related to these vulnerabilities, the agency noted software already exists to exploit those vulnerabilities.
URGENT/11
The urgent communication comes after the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security released an advisory on July 30, 2019 about cybersecurity vulnerabilities called URGENT/11.
The advisory said security researchers identified the “URGENT/11” vulnerabilities which “may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”
“These vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today.”
The agency identified the following operating systems:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON Forum)
- ZebOS (by IP Infusion)
Active Assessments Underway
Device manufacturers, according to the communication, “are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. “Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine.”
“The FDA expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.”
