Third-party software vulnerability could endanger medical devices, FDA and DHS warn

Dive Brief: FDA and the Department of Homeland Security Tuesday issued concurrent advisories alerting patients, […]

Dive Brief:

  • FDA and the Department of Homeland Security Tuesday issued concurrent advisories alerting patients, healthcare providers and manufacturers to cybersecurity vulnerabilities in IPnet, a widely used third-party software component that supports communication among computers.
  • The group of 11 vulnerabilities, named URGENT/11 by security researchers, could allow a hacker to gain control of a medical device remotely and change its function, deny service or cause information leaks or flaws, FDA said.
  • Medical devices affected include an imaging system, an infusion pump and an anesthesia machine, FDA said in its safety communication. The agency said it’s not aware of any patients being harmed due to the security vulnerabilities, but cautioned that more products are expected to be identified that are at risk from association with the original IPnet software.

Dive Insight:

“The FDA urges manufacturers everywhere to remain vigilant about their medical products — to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them,” Amy Abernethy, FDA’s principal deputy commissioner, said in a statement Tuesday.
The alert comes weeks after FDA convened experts to strategize on how to improve information flow between regulators, doctors and individuals with medical devices regarding cybersecurity best practices and known vulnerabilities.
DHS in July identified one operating system vendor, Wind River, whose software is vulnerable. The department’s new advisory expands the list of vendors with potentially exploitable software. Operating systems listed by FDA Tuesday as having affected versions include: VxWorks by Wind River, Operating System Embedded (OSE) by ENEA, Integrity by Green Hills, ThreadX by Microsoft, ITRON by TRON Forum and ZebOS by IP Infusion.
Several manufacturers are working on remediation efforts and have already notified customers, regulators said.
Security platform provider Armis issued a press release stating that more than 30 companies have issued their own advisories on URGENT/11, including GE Healthcare, Philips, Drager and BD, as part of a coordinated disclosure process to mitigate risk. BD’s Alaris infusion pump has been the subject of several prior DHS cybersecurity alerts.
FDA recommended device makers conduct a risk assessment, described in the agency’s cybersecurity postmarket guidance, to determine whether URGENT/11 affects their products and to develop risk mitigation plans. It said companies should work with operating system vendors to identify patches and with healthcare providers to identify methods for reducing risks.
The Medical Imaging and Technology Alliance on Tuesday also released recommendations as well as links to specific companies’ security information to assist health delivery organizations in responding to the URGENT/11 vulnerabilities.
Original Article: (