The Food and Drug Administration has alerted medical device manufacturers, patients, and health providers about cybersecurity vulnerabilities that may put certain medical devices and hospital networks at risk.
Cybersecurity firm Armis Security has identified 11 vulnerabilities, known as URGENT/11, in IPNet, a third-party software component used in some medical devices to facilitate network communications. External actors can exploit these vulnerabilities to assume control of the medical device and change or prevent its intended function.
IPNet, and thus, the associated vulnerabilities, could be included in some versions of the following operating systems used in medical devices:
- VxWorks, by Wind River;
- Operating System Embedded, by ENEA;
- INTEGRITY, by Green Hills;
- ThreadX, by Microsoft;
- ITRON, by TRON Forum; and
- ZebOS, by IP Infusion.
The affected devices so far include an imaging system, anesthesia machine, and infusion pump. The FDA advises providers and staff to:
- inform patients whose medical devices might be affected;
- advise patients who use medical devices to get medical help immediately if they suspect their medical device’s operation or function has changed unexpectedly;
- work with device manufacturers to identify potentially vulnerable medical devices in their facility and develop risk mitigation plans;
- monitor network traffic and logs for signs that an URGENT/11 exploit could be occurring; and
- use virtual private networks, firewalls, or other means to minimize exposure to the vulnerabilities.
The FDA also encourages providers to report any medical device problems using its MedWatch voluntary reporting form.
America’s Essential Hospitals has established a resource page on IT security for essential hospitals. Visit this page for new information and updates.
Contact Senior Director of Policy Erin O’Malley at firstname.lastname@example.org or 202.585.0127 with questions.