1. You are here:
  2. Homepage
  3. News & Insights Search
  4. FDA Warns of Widespread Device Cyber Vulnerabilities

rf-fullcolor.png

 

Regulatory News
October 1, 2019
by Zachary Brennan

FDA Warns of Widespread Device Cyber Vulnerabilities

Following other regulators’ warnings, the US Food and Drug Administration (FDA) on Tuesday alerted medical device manufacturers and other stakeholders to 11 vulnerabilities that may allow for remote control of a range of medical devices and changes to their functions that may prevent a device from functioning properly.

The Cybersecurity and Infrastructure Security Agency within the US Department of Homeland Security also released an advisory in July about the cybersecurity vulnerabilities, known as URGENT/11.

“Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine,” FDA says.

Germany’s Federal Institute for Drugs and Medical Devices (BfArM) previously warned in August of the vulnerabilities, which it said could occur in MRI machines and patient monitors. And device companies including GE HealthcarePhilipsSiemens and Dräger have released their own warnings and security advisories, noting which of their systems are vulnerable.

Meanwhile, FDA is offering several recommendations for manufacturers, which include conducting a risk assessment, working with an operating system vendor to identify if a patch is available and working with health care providers and facilities to determine affected devices and to discuss and develop ways to ensure that risks are reduced.

And health care providers are called on to advise patients who use medical devices that may be affected, while health care staff are told to monitor network traffic and logs for indications that an URGENT/11 exploit is taking place.

Axel Wirth, chief security strategist of cybersecurity company MedCrypt, said he thought the FDA’s recommendation on advising patients with regard to the vulnerabilities is “not quite practical.” He added: “We have not yet seen any reports of a medical device vulnerability leading to an adverse effect for a patient. In the past, vulnerabilities were handled by security teams in hospitals. I am not sure if, at present, patients would be able to recognize a cyber issue related to their devices, nor would I expect that clinicians have been trained on how to assess such a case."

FDA Safety Communication

Updated on 10/2/19 with comment from Wirth.
Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.