With “URGENT/11” possibly introducing risks for medical devices and hospital networks if exploited by a remote attacker, the U.S. Food and Drug Administration is informing patients, manufacturers and IT staff in health care facilities about the cybersecurity vulnerabilities.
URGENT/11 impacts multiple operating systems that then may affect medical devices connected to a communications network in addition to other connected equipment, the agency said in a press release.
According to the release, “These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all.”
Amy Abernethy, M.D., Ph.D., FDA’s principal deputy commissioner, said in the release, “While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm.” Abernethy continued, “the FDA urges manufacturers everywhere to remain vigilant about their medical products — to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them.”
The FDA has not received any adverse event reports associated with these vulnerabilities to date. And the public was first told of these vulnerabilities in an advisory in July, sent by the Department of Homeland Security. According to the announcement, “today, the FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to certain medical devices.”
The URGENT/11 vulnerabilities occur in third-party IPnet software, which computers use to communicate with one another through a network. The software is part of multiple operating systems and may be incorporated into other software applications, systems and equipment. And the software may be used in a wide array of industrial and medical devices.
While the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. As a result, the software may be incorporated into a variety of medical and industrial devices that are still currently in use.