URGENT/11: FDA issues alert for cyber vulnerability that threatens medical devices, networks

If exploited by a remote attacker, the set of vulnerabilities could pose safety and security risks for connected medical devices and hospital networks.
By Mike Miliard
12:42 PM

The U.S. Food and Drug Administration issued a safety communication on Tuesday – aimed at healthcare organizations, IT professionals, device manufacturers and patients – warning of the cybersecurity vulnerabilities known as URGENT/11.

WHY IT MATTERS
The risk, said FDA officials in the communication, is that URGENT/11, if exploited by a remote attacker, could pose safety and security risks for connected medical devices and hospital networks.

The URGENT/11 vulnerabilities center around a third-party software, IPnet, that computers use to communicate with each other over a network. They affect at least six different operating systems and could impact connected equipment such as routers, connected devices or other critical infrastructure.

"Security researchers, manufacturers and the FDA are aware that the following operating systems are affected, but the vulnerability may not be included in all versions of these operating systems," the FDA said, listing the operating systems:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by GreenHills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON)
  • ZebOS (by IP Infusion)

"These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all," said officials.

While the FDA notes that it has not received reports of any adverse events related to URGENT/11 vulnerabilities, the risk is real enough that it issued a series of recommendations for providers, IT professionals and patients:

Security and IT staff should monitor network traffic and logs for any indications that an URGENT/11 exploit is taking place, and be sure to use firewalls, virtual private networks or other technologies that minimize exposure to exploitation.

Providers should contact medical device manufacturers to determine which devices may be in use in their facilities – or by their patients – and develop mitigation plans for these potential vulnerabilities.

Additionally, they should reach out to patients with medical devices to let them know they could be affected, and remind them to seek help right away if they have reason to think the operation or functionality of their device has changed unexpectedly.

THE LARGER TREND
As FDA officials note, the U.S. Department of Homeland Security has been aware of the URGENT/11 vulnerability since July. Healthcare IT News reported then that the 11 zero-day vulnerabilities first discovered by Armis labs could directly impact everything from the routine functioning of a hospital’s basic facilities to life-critical operations.

DHS issued a list of mitigations and patches to protect against the risk, but the process is labor-intensive one given the sheer number of devices that could be affected – as many as 200 million, by some estimates.

The FDA says it is working with device manufacturers and healthcare providers to develop new approaches to securing devices across their product lifecycle. Meanwhile, as it continues to assess new information concerning the URGENT/11 vulnerabilities, it's asking the manufacturers to work with providers to determine which devices could be affected and help them develop risk mitigation plans.

ON THE RECORD
"The FDA urges manufacturers everywhere to remain vigilant about their medical products – to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them," FDA Principal Deputy Commissioner Dr. Amy Abernethy said in a statement.

"While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant," said Dr. Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health.

"It's important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction," she added. "Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media.