FDA Warns of Widespread Device Cyber Vulnerabilities

Regulatory NewsRegulatory News
| 01 October 2019 | By Zachary Brennan 

Following other regulators’ warnings, the US Food and Drug Administration (FDA) on Tuesday alerted medical device manufacturers and other stakeholders to 11 vulnerabilities that may allow for remote control of a range of medical devices and changes to their functions that may prevent a device from functioning properly.

The Cybersecurity and Infrastructure Security Agency within the US Department of Homeland Security also released an advisory in July about the cybersecurity vulnerabilities, known as URGENT/11.

“Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine,” FDA says.

Germany’s Federal Institute for Drugs and Medical Devices (BfArM) previously warned in August of the vulnerabilities, which it said could occur in MRI machines and patient monitors. And device companies including GE HealthcarePhilipsSiemens and Dräger have released their own warnings and security advisories, noting which of their systems are vulnerable.

Meanwhile, FDA is offering several recommendations for manufacturers, which include conducting a risk assessment, working with an operating system vendor to identify if a patch is available and working with health care providers and facilities to determine affected devices and to discuss and develop ways to ensure that risks are reduced.

And health care providers are called on to advise patients who use medical devices that may be affected, while health care staff are told to monitor network traffic and logs for indications that an URGENT/11 exploit is taking place.

Axel Wirth, chief security strategist of cybersecurity company MedCrypt, said he thought the FDA’s recommendation on advising patients with regard to the vulnerabilities is “not quite practical.” He added: “We have not yet seen any reports of a medical device vulnerability leading to an adverse effect for a patient. In the past, vulnerabilities were handled by security teams in hospitals. I am not sure if, at present, patients would be able to recognize a cyber issue related to their devices, nor would I expect that clinicians have been trained on how to assess such a case."

FDA Safety Communication

Updated on 10/2/19 with comment from Wirth.


© 2022 Regulatory Affairs Professionals Society.

Discover more of what matters to you

No taxonomy