FDA Issues Cybersecurity Warning for Medical Devices

Written by

The US Food and Drug Administration (FDA) issued a warning on Tuesday over vulnerabilities detected in decades-old software being used by many medical devices and hospital networks. 

The 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. If exploited, the vulnerabilities could allow hackers to remotely control a medical device, change its function, obstruct service, or trigger information leaks that could stop it from working.

Makers of the original IPnet software, Interpeak, no longer support it, but some manufacturers have a license to use it without support, meaning it could be incorporated into other software applications, equipment, and systems still in use in medical devices. 

IoT security company Armis discovered the vulnerabilities in the IPnet stack, collectively known as URGENT/11, back in July 2019. As a result, more than 30 vendors have issued security advisories. 

When the vulnerabilities were discovered, it was thought that they only affected some versions of the popular real-time operating system Wind River VxWorks. However, the true impact of the cybersecurity risk is much greater because the IPnet software was licensed and used in multiple operating systems employed by the healthcare industry. 

According to the FDA, some versions of operating systems Integrity by Green Hills, ThreadX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component. 

Medical devices affected so far include an imaging system, an infusion pump, and an anesthesia machine. The FDA said in its warning that it "expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software." 

IPnet's vulnerabilities are zero-day, meaning that they have existed since the software's creation. 

The Cybersecurity and Infrastructure Security Agency issued a warning regarding cybersecurity vulnerabilities in Wind River VxWorks on July 30.

The news follows the release of a 45-page guidance document, Principles and Practices for Medical Device Cybersecurity, this week by the International Medical Device Regulators Forum (IMDRF).

The document, which was put together by the FDA and Health Canada, says regarding third-party components: "These components can create risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices. 

"Similarly, post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."

What’s hot on Infosecurity Magazine?