Skip to main content
close search
site logo
Dive Brief

Third-party software vulnerability could endanger medical devices, FDA and DHS warn

Published Oct. 2, 2019
By
Reporter
Dollar Photo Club

Dive Brief:

  • FDA and the Department of Homeland Security Tuesday issued concurrent advisories alerting patients, healthcare providers and manufacturers to cybersecurity vulnerabilities in IPnet, a widely used third-party software component that supports communication among computers.
  • The group of 11 vulnerabilities, named URGENT/11 by security researchers, could allow a hacker to gain control of a medical device remotely and change its function, deny service or cause information leaks or flaws, FDA said.
  • Medical devices affected include an imaging system, an infusion pump and an anesthesia machine, FDA said in its safety communication. The agency said it's not aware of any patients being harmed due to the security vulnerabilities, but cautioned that more products are expected to be identified that are at risk from association with the original IPnet software.

Dive Insight:

"The FDA urges manufacturers everywhere to remain vigilant about their medical products — to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them," Amy Abernethy, FDA's principal deputy commissioner, said in a statement Tuesday.

The alert comes weeks after FDA convened experts to strategize on how to improve information flow between regulators, doctors and individuals with medical devices regarding cybersecurity best practices and known vulnerabilities.

DHS in July identified one operating system vendor, Wind River, whose software is vulnerable. The department's new advisory expands the list of vendors with potentially exploitable software. Operating systems listed by FDA Tuesday as having affected versions include: VxWorks by Wind River, Operating System Embedded (OSE) by ENEA, Integrity by Green Hills, ThreadX by Microsoft, ITRON by TRON Forum and ZebOS by IP Infusion.

Several manufacturers are working on remediation efforts and have already notified customers, regulators said.

Security platform provider Armis issued a press release stating that more than 30 companies have issued their own advisories on URGENT/11, including GE Healthcare, Philips, Drager and BD, as part of a coordinated disclosure process to mitigate risk. BD's Alaris infusion pump has been the subject of several prior DHS cybersecurity alerts.

FDA recommended device makers conduct a risk assessment, described in the agency's cybersecurity postmarket guidance, to determine whether URGENT/11 affects their products and to develop risk mitigation plans. It said companies should work with operating system vendors to identify patches and with healthcare providers to identify methods for reducing risks.

The Medical Imaging and Technology Alliance on Tuesday also released recommendations as well as links to specific companies' security information to assist health delivery organizations in responding to the URGENT/11 vulnerabilities.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell