FDA: Medical devices vulnerable to hacks

October 4, 2019

Medicare Web

The Food and Drug Administration (FDA) on Tuesday warned patients, healthcare providers, and manufacturers that some medical devices and hospital networks may be vulnerable to cyberattacks due to 11 vulnerabilities known as URGENT/11.

The vulnerabilities could give hackers the ability to take control of medical devices remotely, potentially letting hackers change a device’s function, cause denial of service, or leak information. Those actions could lead medical devices to malfunction, the FDA said.

The security firm Armis was the first to discover the URGENT/11 vulnerabilities, which the Department of Homeland Security disclosed to the public in July. At the time, Armis knew of only one vulnerable operating system, but the firm recently found that six additional operating systems are vulnerable, prompting the latest warning.

“URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls,” according to a report by Armis. “These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks.”

Even though the FDA has not received any reports of medical devices being exploited by URGENT/11, the agency is still urging caution. “While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant,” Suzanne Schwartz, deputy director of the FDA’s Office of Strategic Partnerships and Technology Innovation, said in an FDA news release.

Healthcare providers should warn patients who use medical devices about the risks and work with device manufacturers to determine if medical devices are affected, according to the FDA. Additionally, healthcare facility staff should monitor network traffic and use security measures such as firewalls and virtual private networks to limit exposure to URGENT/11.

“The FDA will continue to assess new information concerning the URGENT/11 vulnerabilities and will keep the public informed if significant new information becomes available,” the FDA said.