FDA Issues Warning About Serious Security Flaws in Critical Medical Devices

On October 1, 2019, the U.S. Food and Drug Administration (FDA) published an advisory about 11 cybersecurity vulnerabilities identified by the security firm Armis and named the “URGENT/11.” The FDA says that although it has no reports of “adverse events related to these vulnerabilities, software to exploit these vulnerabilities is already publicly available” and “may introduce risks for certain medical devices and hospital networks.”

The FDA warns manufacturers, healthcare providers, hospitals and patients that the security flaws may cause certain devices to malfunction. It reports that these vulnerabilities “can be traced back to a network protocol created nearly two decades ago that became an industry standard.” Specifically, as detailed in the FDA advisory, the Urgent/11 vulnerabilities “may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

Describing the nature of the risk in greater detail, Fierce Healthcare quotes Armis researchers, who say, “Urgent/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks.”

Hospitals and healthcare providers may review the full advisory of the FDA’s recommendations about mitigating these risks. It is available here.

MLMIC encourages our facilities and providers to explore these issues in more depth.  Your facility engineer or IT staff should review the appropriate equipment and devices and contact vendors in order to determine which, if any, of the devices in your organization may be vulnerable as well as what can be done to remedy these vulnerabilities.