The US Food and Drug Administration (FDA) has warned patients, clinicians, IT staff and manufacturers across the medical industry of a set of cybersecurity vulnerabilities in their communications software.
Referred to as URGENT/11, these flaws exist in third-party software called IPnet, which computers use to communicate over a network.
The faults in the system could allow a remote attacker to take over and interfere with the function of medical devices and hospital networks. Once they have control of the device, the attacker may change its function through denial of service, information leaks and logical flaws. This could stop devices from functioning properly, or at all.
URGENT/11 affects several operating systems that may impact medical devices connected to a communications network, such as WiFi or ethernet, as well as connected equipment such as routers, connected phones and other critical infrastructure equipment.
FDA principal deputy commissioner Amy Avernethy said: “While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm.”
Vulnerabilities have been identified in six IP net operating systems: VxWorks by Wind River; Operating System Embedded by ENEA; INTEGRITY by GreenHills; ThreadX by Microsoft; ITRON by TRON; and ZebOS by IP Infusion.
Manufacturers are being asked to work with healthcare providers to determine which medical devices used by their patients could be affected URGENT/11. Patients are advised to speak to their healthcare providers about whether their medical device could be affected.
FDA Center for Devices and Radiological Health deputy director Suzanne Schwartz said: “The safety communication issued today contains recommendations for what actions patients, health care providers and manufacturers should take to reduce the risk this vulnerability could pose.
“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”
The FDA is working with manufacturers and healthcare delivery organisations to help develop and implement solutions to address cybersecurity issues throughout the lifecycle of a medical device.
MedCrypt chief security strategist Axel Wirth said he thought FDA’s recommendation on advising patients with regard to the vulnerabilities “not quite practical.”
He added: “We have not yet seen any reports of a medical device vulnerability leading to an adverse effect for a patient. In the past, vulnerabilities were handled by security teams in hospitals. I am not sure if, at present, patients would be able to recognise a cyber issue related to their devices, nor would I expect that clinicians have been trained on how to assess such a case.”