RAPS recognizes that the current situation in Ukraine impacts our members and customers on many levels. If you are directly impacted by the current situation in the region and are challenged to meet your deadlines or obligations to RAPS, please reach out to raps@raps.org so that we can defer those challenges. Your health and safety are paramount to us.

Regulatory Focus™ > News Articles > 2022 > 3 > Medtech companies issue alerts for Axeda cybersecurity vulnerability

Medtech companies issue alerts for Axeda cybersecurity vulnerability

Posted 09 March 2022 | By Ferdous Al-Faruque 

Medtech companies issue alerts for Axeda cybersecurity vulnerability

Major medtech companies are warning customers of serious cybersecurity vulnerabilities on their products caused by a third-party remote access software. If exploited, the vulnerability known as “Access:7” could allow malicious hackers to steal patient data and even change how medical devices operate.
On 8 March, the US Food and Drug Administration (FDA) issued an alert that PTC’s Axeda agent and Axeda Desktop Server used to remotely access certain medical devices over the internet had a number of serious vulnerabilities.
“Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition,” the agency said. “Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality.”
In response Bayer notified users of its MEDRAD Injection Systems and Radimetrics Dose Management Software, they may be vulnerable to hackers as those products use the Axeda software. The company said it has been working with the FDA and the Health Information Sharing and Analysis Center (H-ISAC) to patch its products.
“We have been working with urgency to minimize any potential impact to our customers and have deployed a patch to all Bayer devices connected to VirtualCARE Remote Support,” said Bayer. “Injectors that have received this patch are no longer at risk for the vulnerability.”
The company said it is also in the final stages of implementing a software update for devices that are currently not connected through its VirtualCARE Remote system, which should be available to those customers at their next service visit once it is available.
Similarly, GE Healthcare, Accuray, Elekta Technologies and Varian have all issued statements on what products are affected by the vulnerability and how to mitigate the risks to their customers.
The FDA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have made a number of recommendations for manufacturers who use the Axeda software including upgrading the application, creating a unique password for the product’s desktop configuration file and ensuring that connections are with trusted hosts.
The vulnerability was first brought to PTC’s attention by security researchers Yuval Shoshani and Elad Luz of CyberMDX and Vedere Labs.


© 2022 Regulatory Affairs Professionals Society.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.