FDA issues new cybersecurity warning

2016 09 02 09 36 05 93 Fda Logo V2 400

The U.S. Food and Drug Administration (FDA) has issued a safety communication on the potential risks for medical devices -- including imaging systems -- and hospital networks from the so-called Urgent/11 cybersecurity vulnerabilities.

Urgent/11 refers to 11 vulnerabilities identified by a security firm in IPnet, a third-party software application that computers use to communicate with each other over a network, according to the FDA. The software is part of several operating systems and may be incorporated into other software applications, equipment, and systems. It may be used in a wide range of medical and industrial devices, the agency said.

These 11 vulnerabilities (Urgent/11) could allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws that prevent a device from functioning properly at all, according to the FDA.

"Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support," the agency wrote. "Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today."

Although the FDA has not yet received any adverse event reports associated with these vulnerabilities, it noted that several manufacturers have notified their customers about affected devices, which include an imaging system, an infusion pump, and an anesthesia machine. Additional medical devices will likely be identified that contain one or more of the vulnerabilities associated with the original IPnet software, according to the FDA.

The FDA said it is aware of the following operating systems being affected by Urgent/11:

  • VxWorks (Wind River)
  • Operating System Embedded (OSE) (Enea)
  • Integrity (Green Hills)
  • ThreadX (Microsoft)
  • ITRON (TRON)
  • ZebOS (IP Infusion)

The vulnerability may not be included in all versions of these operating systems, the FDA noted.

The agency is asking manufacturers to work with healthcare providers to determine which medical devices, either in their healthcare facility or used by their patients, could be affected by Urgent/11 and to develop risk-mitigation plans. Furthermore, the FDA is recommending that patients talk to their healthcare providers to determine if their medical device could be affected and to seek help right away if they notice the functionality of their device has changed.

The safety communication can be found on the FDA's website.

Page 1 of 603
Next Page