Certain medical devices and hospital communications networks could contain cybersecurity vulnerabilities that could allow a remote attacker to take control of the device and change its function, the Food and Drug Administration (FDA) warned on Tuesday.
The vulnerabilities, referred to as “URGENT/11,” exist in a third-party software called IPnet that computers use to communicate with each other over networks such as Wi-Fi and public or home internet as well as routers and connected phones. The software may be used in a variety of always-on medical devices, which include imaging systems, infusion pumps, and anesthesia machines, the FDA said.
“The FDA warning indicates that this is a serious issue,” said Dallas pediatrician Joseph Schneider, MD, chair of TMA’s Committee on Health Information Technology. “Individual practices should check with their IT support to see whether they are affected.”
As of Oct. 1, the FDA had not received any reports of adverse events – including denial of service, information leaks, and logical flaws – associated with URGENT/11, the agency’s warning said.
Several operating systems have been affected, the FDA said, but the vulnerability may not be included in all versions of these operating systems:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by GreenHills)
- ThreadX (by Microsoft)
- ITRON (by TRON)
- ZebOS (by IP Infusion)
“The agency is asking manufacturers to work with health care providers to determine which medical devices, either in their health care facility or used by their patients, could be affected by URGENT/11 and develop risk mitigation plans,” the statement said. “Patients should talk to their health care providers to determine if their medical device could be affected and to seek help right away if they notice the functionality of their device has changed.”
The FDA posted the following recommendations for physicians and health care facility staff:
- Advise patients who use medical devices that may be affected.
- Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.
- Work with device manufacturers to determine which medical devices in your facilities or in use by your patients could be affected by these vulnerabilities and develop risk mitigation plans.
- Monitor your network traffic and logs for indications that an URGENT/11 exploit is taking place.
- Use firewalls, virtual private networks (VPNs), or other technologies that minimize exposure to URGENT/11 exploitation.
Possible vulnerabilities should be reported through the FDA’s MedWatch Voluntary Reporting Form.
“Affected and unaffected physicians and staff should also take this as a warning to practice safe cyber-hygiene – don’t open emails from unknown sources and don’t click on links unless you know that they are good,” Dr. Schneider said. “Also, be sure to keep your software up to date with the latest security patches. Cyber security is a patient safety issue and therefore is everyone’s job.”
As always, the Texas Medical Association has plenty of tools and information to keep you and your practice safe from cyber security attacks on its Ransomware and Cyber Security Resource Center.
In addition, the Texas Medical Liability Trust (TMLT) offers cyber consulting services – including risk assessments, physician and staff HIPAA training, and CME programs – to keep your practice safe. TMLT, the state's largest medical liability insurance provider, includes Cyber Coverage in its policies. TMA created and endorsed TMLT, and it is owned by its policyholders.