The U.S. Food and Drug Administration (FDA) has warned patients, providers, and medical device manufacturers about possible cybersecurity liabilities in certain medical devices and health care networks.
The vulnerabilities, which the agency called URGENT/11, could allow a user to remotely control medical devices connected to WiFi networks, routers, and phones causing information leaks, denials of service, or malfunctioning. The FDA said it has not received reports of any such attacks at this time.
The FDA identified the following operating systems as being affected, but noted that the vulnerability may not be included in all versions of these operating systems:
- VxWorks (by Wind River)
- Operating System Embedded (by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON)
- ZebOS (by IP Infusion)
"The risk of patient harm if such a vulnerability were left unaddressed could be significant," said Suzanne Schwartz, MD, MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health. "It's important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures."
FDA principal deputy commissioner Amy Abernethy, MD, PhD, said, "The agency urges manufacturers everywhere to remain vigilant about their medical products – to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them."
The agency advises patients who use medical devices to discuss these risks with their doctors and urges manufacturers to quickly address the vulnerabilities.