Date Issued: October 1, 2019
The U.S. Food and Drug Administration (FDA) is informing patients, health care providers and facility staff, and manufacturers about cybersecurity vulnerabilities that may introduce risks for certain medical devices and hospital networks. The FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities is already publicly available.
Security researchers have identified 11 vulnerabilities, named “URGENT/11.” These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.
These vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today.
Security researchers, medical device manufacturers, and the FDA are aware that some versions of the following operating systems are affected. Please note the vulnerable IPnet software component may not be included in all versions of these operating systems:
Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine. The FDA expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.
On July 30, 2019, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security released an advisory about cybersecurity vulnerabilities called URGENT/11.
Since publication of the advisory, the FDA became aware that these vulnerabilities may affect other operating systems that use the IPnet. Currently, VxWorks and IPnet are owned by Wind River. IPnet was originally manufactured by Interpeak. Before Wind River purchased IPnet, Interpeak licensed this software to other Real Time Operating System (RTOS) vendors to integrate into their operating systems. IPnet may also have been incorporated into other software applications, equipment, and systems.
For more information about URGENT/11 Cybersecurity Vulnerabilities see:
The FDA is working closely with other federal agencies, manufacturers, and security researchers to identify, communicate and prevent adverse events related to the URGENT/11 vulnerabilities.
The FDA will continue to assess new information concerning the URGENT/11 vulnerabilities and will keep the public informed if significant new information becomes available.
If you think you had a problem with your device or a device your patient uses, the FDA encourages you to report the problem through the MedWatch Voluntary Reporting Form.
Health care personnel employed by facilities that are subject to the FDA’s user facility reporting requirements should follow the reporting procedures established by their facilities.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.