FDA Warns of Vulnerabilities Affecting an Unknown Numbers of Medical Devices
The Food & Drug Administration (FDA) is warning patients, health care professionals, IT staff, and manufacturers about a set of vulnerabilities known under the name URGENT/11, which would let an attacker go after a medical device and change its function.
Hackers trying to steal banking information or to breach a database with user names and passwords is one thing. But the chance that hackers could stop an insulin pump or control a pacemaker takes risk to an entirely different level.
Predicting the effects of such events is almost as impossible as figuring out how many people would be impacted if any of these vulnerabilities ever become public. That’s the main reason FDA is advising everyone to pay close attention to these potential problems.
“The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them,” reads the FDA’s advisory.
This set of vulnerabilities is traced back to the now-defunct IPnet protocol, based on the TCP/IP stack. Unfortunately, the company that built the IPnet and licensed it to manufacturers is no longer operating, leaving the protocol without maintenance or support.
FDA named six operating systems affected by the URGENT/11, even if this particular software component is not present in all of them:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON Forum)
- ZebOS (by IP Infusion)
An imaging system, an infusion pump and an anesthesia machine are among the affected machines. And that’s just what’s been discovered so far. More devices are expected to be found, but it’s difficult to give a time frame for any fixes and patches.
All the FDA can do now is to provide guidance for manufacturers, health care providers, IT staff, and patients and caregivers.
Manufacturers should start a risk assessment study to determine what devices are actually affected and to begin planning to deploy fixes — observing the vulnerability in action is exceptionally challenging because any attack would look like routine communication.
Technically, manufacturers should notify patients and medical facilities if they are using vulnerable devices. A possible temporary solution would be to use VPNs or similar software whenever possible.
The first report of a hacker gaining the ability to kill by taking over a medical device came in 2011 Diabetic security researcher Jerome Radcliffe demonstrated at a Black Hat USA security conference how he could remotely access an insulin pump and direct it to deliver lethal amounts of insulin.
The FDA says that there’s no indication URGENT/11 vulnerabilities were used in the wild, but that’s hardly reassuring.
The FDA has been working with health care manufacturers for a long time, trying to make sure that secure devices hit the market, but many of these issues affect older equipment.FDA healthcare security vulnerability