FDA warns of potential cyber vulnerabilities in internet-connected medical devices

FDA warns of potential cyber vulnerabilities in internet-connected medical devices
© Getty Images

The Food and Drug Administration (FDA) on Tuesday warned patients, providers and manufacturers about cybersecurity vulnerabilities in certain medical devices and health care networks.

The vulnerabilities, referred to by the agency as URGENT/11, have the potential to harm operating systems for medical devices connected to communications networks like Wi-Fi and equipment such as routers and phones.

ADVERTISEMENT

According to the FDA, the cyber vulnerabilities could allow a remote actor to “take control” of the device, leading to a change in function, information leaks or causing the device to stop functioning.

The FDA emphasized that it had not received any reports of “adverse events” that have occurred as a result of the cyber vulnerabilities.

However, Suzanne Schwartz, the deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health, said in a statement that the “risk of patient harm if such a vulnerability were left unaddressed could be significant.”

“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures,” she added.

The cyber vulnerabilities exist as part of IPnet software, which is used by computers to communicate over a network. The FDA warned that this software is incorporated into multiple operating systems involved in medical and industrial devices.

“Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support,” the FDA wrote in its warning. “Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today.”

Amy Abernathy, the FDA’s principal deputy commissioner, said in a statement that the agency “urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them.”

The FDA said patients with medical devices should talk to their doctors about whether their device could be impacted by the cyber vulnerabilities, and that medical device manufacturers should work to quickly address whether their devices are open to the vulnerabilities.

The Department of Homeland Security (DHS) first warned of the cyber vulnerabilities in July.

This is not the first time the FDA has warned of cyber vulnerabilities related to medical devices. The agency in June warned of vulnerabilities in certain insulin pumps that were later recalled.