On the heels of an FDA committee report concerning cybersecurity issues with medical devices [view related post] the U.S. Food and Drug Administration (FDA) issued an alert regarding cybersecurity vulnerabilities, referred to as “URGENT/11,” that could introduce risks for some medical devices and hospital networks.
According to the FDA’s October 1st notice, the URGENT/11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. It affects several operating systems that might impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and critical infrastructure equipment. These cybersecurity vulnerabilities could allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws that could prevent a device from functioning properly, if at all.
At this time, although the FDA is unaware of any confirmed adverse events related to the URGENT/11 vulnerabilities, it notes that software to exploit the weaknesses is already publicly available. The FDA alert includes recommendations for manufacturers, health care providers, health care facility staff (including IT professionals), and patients to assess, communicate, and mitigate risks. Some medical device manufacturers are already actively determining which devices have operating systems affected by URGENT/11 and are identifying risk and remediation actions, including notification to health care providers and consumers as appropriate.
Devices found to be affected thus far include an imaging system, an infusion pump, and an anesthesia machine. However, the FDA expects that more medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.
The FDA encourages patients and their health care providers to report suspected problems with medical devices through the MedWatch Voluntary Reporting Form. Further, the FDA is working closely with other federal agencies, manufacturers, and security researchers to identify, communicate and prevent adverse events related to the URGENT/11 vulnerabilities. More information on URGENT/11 can be found in a corresponding advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.