On October 1, 2019, the FDA and the U.S. Department of Homeland Security Cyber + Infrastructure (CISA) released advisory notices in an effort to inform patients, medical providers, IT staff and manufacturers about a collective of cybersecurity vulnerabilities.
Specifically, the FDA stated, “’URGENT/11,’ that—if exploited by a remote attacker—may introduce risks for medical devices and hospital networks. URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such was wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment.”
In turn, these vulnerabilities may cause the following adverse events: control of the medical device by a remote user; denial of service; breaches of protected health information (PHI); and malfunctioning of a medical device. The FDA’s release builds on the CISA’s July 2019 notice.
Likewise, the CISA built upon its July 2019 notice about Interpeak IPnet stack. The following products were deemed to be affected: ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.
Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.
Wind River reports the following versions of VxWorks are affected:
- All versions of VxWorks under CURRENT support (18.104.22.168, Vx7 SR540, Vx7 SR610) are affected by one or more of the CVE numbers detailed below.
- Older, end-of-life versions of VxWorks back to 6.5 are also affected by one or more of the CVE numbers below.
- All versions of the discontinued product Advanced Networking Technology (ANT) are likely affected by one or more of the CVE numbers below.
- The VxWorks bootrom network stack leverages the same IPnet source as VxWorks and, as a result, is also technically vulnerable to CVE-2019-12256. The same patches and mitigations apply to VxWorks and the bootrom network stack; however, the bootrom normally uses statically assigned IP-addresses, not DHCP. If that is true, then the defects related to those protocols do not apply in practice. Also, a successful exploit of the bootrom network stack has a more difficult timing component. In typical applications, the bootrom does not listen to TCP-ports, which means that the TCP-related issues must be timed with the target downloading data from the network.
- VxWorks 653 MCE 3.x may be affected. Contact Wind River customer support ([email protected]) for more details.
In turn, additional vendors such as GE Healthcare, Medtronic, Philips Healthcare and Abbott Laboratories were deemed to be affected by the aforementioned vulnerabilities. In order to mitigate the risk of attack, CISA emphasized the need for adequate technical security measures in order to protect the patient’s information and the operability of the device. Specific preventative measures include: minimizing network exposure; isolate control system networks and remote devices behind firewalls; and use Virtual Private Networks (VPNs). (https://www.us-cert.gov/ics/advisories/icsma-19-274-01)
These warnings by the FDA and CISA should not be ignored, especially in relation to URGENT/11. Amy Abernethy, M.D., Ph.D., FDA’s principal deputy commissioner summed it up: “The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them. This is a cornerstone of the FDA’s efforts to work with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to develop and implement solutions to address cybersecurity issues that affect medical devices in order to keep patients safe.”
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.