FDA Issues Warning On Top Medical Device Cybersecurity Vulnerabilities

Federal health officials are warning hospital and healthcare professionals that certain medical devices equipped with decades-old, unsupported software could be vulnerable to cybersecurity hacks.

In conjunction with the Department of Homeland Security (DHS), the FDA released a medical device cybersecurity warning, titled “URGENT/11”, on October 1, which details how certain medical devices that communicate over a network may contain vulnerabilities, potentially allowing hackers to remotely take control of the device and change its functions.

The warning outlines 11 vulnerabilities that could allow remote control of the medical device and its functions, cause denial of service, or cause information leaks or logical flaws, which could unintentionally shut down a device while in use.

The vulnerabilities exist in IPnet, which is a third-party software component that supports communications between computers, the FDA indicates. The third-party software was incorporated into many applications, equipment, and systems used for medical and industrial devices still being used today. Although the software may still be functional, for many users it has become unsupported by its original vendor and is susceptible to hacker access.

Several operating systems affected by the IPnet risks include VxWorks by Wind River, Operating System Embedded (OSE) by ENEA, INTEGRITY by Green Hills, ThreadX by Microsoft, ITRON by TRON Forum, and ZebOS by IP Infusion.

Medical devices running on unsupported versions of the operating systems connected to a communications network such as wi-fi, public, or home internet and other critical infrastructure equipment may all be vulnerable.

Though the FDA is not aware of exactly which devices, or how many may be impacted, the URGENT/11 warning estimates many medical devices such as imaging systems, infusion pumps, anesthesia machines, pacemakers, insulin pumps and many others are at an increased risk.

The warning instructs patients and medical providers to closely monitor any devices that could be vulnerable to the cybersecurity threats, as these types of attacks may easily go undetected since it appears to be a normal network communication, which may remain invisible to security measures.

The FDA has been working on a framework for cybersecurity threats across the medical field since 2013, and the need for additional protection has only become more of a necessity with the increased number of incidents. In 2015 alone, the healthcare industry had more data breaches than in the previous six years combined, compromising more than 113 million medical records.

Although there have been no confirmed adverse reports of hackers successfully taking over a medical device being used by a patient, officials warn that the vulnerabilities in many devices running on unsupported operating systems could pose life-threatening risks.

FDA Urges Manufacturers To Fix Software Security Gaps

While the agency is urging patients and medical providers to be wary, FDA officials say it is ultimately a problem manufacturers will have to fix.

“While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm,” Dr. Amy Abernethy, FDA’s principal deputy commissioner, said in a press release. “The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them.”

The FDA is recommending medical device manufacturers conduct a risk assessment outlined in the cybersecurity postmarket guidance to develop risk mitigation plans as they develop new devices. Device manufacturers are also being encouraged to work with operating system vendors to identify available patches and other recommended mitigation methods.

Earlier this year, the FDA issued a safety communication warning about vulnerabilities with at least 22 of its implantable Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

FDA officials warned that the wireless telemetry system, Conexus, which uses radio frequency to enable communication between the implanted devices and monitoring equipment, does not use encryption, authentication, or authorization protocols to connect to the devices. Due to the lack of cyber security protocols, if the device was to be exploited, someone could disrupt the transmission of data from the implanted device to the monitoring equipment and change the heart rate data.

A similar issue for Medtronic occurred in June this year, when the manufacturer recalled Medtronic MiniMed 508 pump and MiniMed Paradigm series insulin pumps due to cybersecurity concerns that could allow someone other than the patient or healthcare provider to change insulin delivery settings and alter glucose level data.

The FDA urges health care professionals and patients to report any problems with medical devices to its MedWatch Adverse Event Reporting Program.