FDA Issues Urgent Cybersecurity Warning

October 5, 2019 3 min read Premium comments

#fdasafetycommunication#medicaldevices#cybersecurity

The FDA issued an “Urgent Safety Communication” on October 1, 2019 regarding cybersecurity vulnerabilities that “may introduce risks for certain medical devices and hospital networks.”

While stating it was unaware of any confirmed adverse events related to these vulnerabilities, the agency noted software already exists to exploit those vulnerabilities.

URGENT/11

The urgent communication comes after the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security released an advisory on July 30, 2019 about cybersecurity vulnerabilities called URGENT/11.

The advisory said security researchers identified the “URGENT/11” vulnerabilities which “may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

“These vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today.”

The agency identified the following operating systems:

VxWorks (by Wind River)
Operating System Embedded (OSE) (by ENEA)
INTEGRITY (by Green Hills)
ThreadX (by Microsoft)
ITRON (by TRON Forum)
ZebOS (by IP Infusion)

Active Assessments Underway

Device manufacturers, according to the communication, “are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. “Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine.”

“The FDA expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.”

Recommendations for Manufacturers

Conduct a risk assessment.
Work with the operating system vendor to identify if a patch is available and implement recommended mitigation methods.
Ensure any mitigations you may currently employ (for example: firewalls, virtual private network (VPN)) are not impacted by URGENT/11.
Develop a plan for updating your medical device to accommodate a version of an OS (or a communication protocol) that is not impacted by the URGENT/11 vulnerabilities.
Work with health care providers and facilities to determine affected medical devices and discuss and develop ways to ensure that risks are reduced to acceptable levels.
Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, to allow customers to make informed decisions about device use. Provide an Information Sharing Analysis Organization (ISAO) with any customer communications upon notification of your customers.
Report medical devices you’ve identified as vulnerable to URGENT/11 to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) at ICS-CERT@HQ.DHS.GOV, so that this information can be added to its evolving list of products.

Recommendations for Health Care Providers

Advise patients who use medical devices that may be affected.
Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.
Work with device manufacturers to determine which medical devices in your facilities or in use by your patients could be affected by these vulnerabilities and develop risk mitigation plans.

Recommendations for Health Care Facility Staff (including IT Staff)

Monitor your network traffic and logs for indications that an URGENT/11 exploit is taking place.
Use firewalls, virtual private networks (VPN), or other technologies that minimize exposure to URGENT/11 exploitation.

Recommendations for Patients and Caregivers

Talk to your health care provider to determine if your medical device may be affected. Please be aware that health care providers may not have access to this information at the time of issuance of this communication. Device manufacturers should be reaching out to their customers as more information becomes available.
Seek medical help right away if you think operation or function of your medical device changed unexpectedly.

The FDA communication, along with linked resources is available online.

React:

Discussion

Dr. Sarah MitchellOrthopedic Surgeon · Mayo Clinic

This is a fascinating development. In my practice we've seen similar outcomes with the revised protocol. The key differentiator seems to be patient selection criteria. Has anyone else noticed the correlation with BMI thresholds?

James Thornton, MDSpine Fellow · HSS

Great point. I'd push back slightly on the conclusion, the sample size in the cited study is too small to draw population-level inferences. That said, the directional signal is compelling and worth a larger RCT.

R. PatelSports Medicine · Stanford

We implemented a similar approach last year. Early results are promising but we're still gathering 12-month follow-up data. Happy to share our protocol if anyone is interested.

Join the conversation

Orthopedic professionals are discussing this. Sign in and upgrade to read every comment and add your voice.

FDA Issues Urgent Cybersecurity Warning

October 5, 2019 3 min read Premium comments

FDA Safety Communication / Courtesy of FDA, Pixabay and RRY Publications

#fdasafetycommunication#medicaldevices#cybersecurity

The FDA issued an “Urgent Safety Communication” on October 1, 2019 regarding cybersecurity vulnerabilities that “may introduce risks for certain medical devices and hospital networks.”

While stating it was unaware of any confirmed adverse events related to these vulnerabilities, the agency noted software already exists to exploit those vulnerabilities.

URGENT/11

The agency identified the following operating systems:

VxWorks (by Wind River)
Operating System Embedded (OSE) (by ENEA)
INTEGRITY (by Green Hills)
ThreadX (by Microsoft)
ITRON (by TRON Forum)
ZebOS (by IP Infusion)

Active Assessments Underway

“The FDA expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.”

Recommendations for Manufacturers

Conduct a risk assessment.
Work with the operating system vendor to identify if a patch is available and implement recommended mitigation methods.
Ensure any mitigations you may currently employ (for example: firewalls, virtual private network (VPN)) are not impacted by URGENT/11.
Develop a plan for updating your medical device to accommodate a version of an OS (or a communication protocol) that is not impacted by the URGENT/11 vulnerabilities.
Work with health care providers and facilities to determine affected medical devices and discuss and develop ways to ensure that risks are reduced to acceptable levels.
Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, to allow customers to make informed decisions about device use. Provide an Information Sharing Analysis Organization (ISAO) with any customer communications upon notification of your customers.
Report medical devices you’ve identified as vulnerable to URGENT/11 to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) at ICS-CERT@HQ.DHS.GOV, so that this information can be added to its evolving list of products.

Recommendations for Health Care Providers

Advise patients who use medical devices that may be affected.
Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.
Work with device manufacturers to determine which medical devices in your facilities or in use by your patients could be affected by these vulnerabilities and develop risk mitigation plans.

Recommendations for Health Care Facility Staff (including IT Staff)

Monitor your network traffic and logs for indications that an URGENT/11 exploit is taking place.
Use firewalls, virtual private networks (VPN), or other technologies that minimize exposure to URGENT/11 exploitation.

Recommendations for Patients and Caregivers

Talk to your health care provider to determine if your medical device may be affected. Please be aware that health care providers may not have access to this information at the time of issuance of this communication. Device manufacturers should be reaching out to their customers as more information becomes available.
Seek medical help right away if you think operation or function of your medical device changed unexpectedly.

The FDA communication, along with linked resources is available online.

React:

Discussion

Dr. Sarah MitchellOrthopedic Surgeon · Mayo Clinic

James Thornton, MDSpine Fellow · HSS

R. PatelSports Medicine · Stanford

We implemented a similar approach last year. Early results are promising but we're still gathering 12-month follow-up data. Happy to share our protocol if anyone is interested.

Join the conversation

Orthopedic professionals are discussing this. Sign in and upgrade to read every comment and add your voice.