Medical device and communication software continue to be an area of interest for federal government agencies.
On October 1, 2019, the FDA and the U.S. Department of Homeland Security Cyber + Infrastructure (CISA) released advisory notices in an effort to inform patients, medical providers, IT staff and manufacturers about a collective of cybersecurity vulnerabilities.
Specifically, the FDA stated, “’URGENT/11,’ that-if exploited by a remote attacker-may introduce risks for medical devices and hospital networks. URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such was wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment.”
In turn, these vulnerabilities may cause the following adverse events: control of the medical device by a remote user; denial of service; breaches of protected health information (PHI); and malfunctioning of a medical device. The FDA’s release builds on the CISA’s July 2019 notice.
Likewise, the CISA built upon its July 2019 notice about Interpeak IPnet stack. The following products were deemed to be affected: ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.
Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.
Wind River reports the following versions of VxWorks are affected:
In turn, additional vendors such as GE Healthcare, Medtronic, Philips Healthcare and Abbott Laboratories were deemed to be affected by the aforementioned vulnerabilities. In order to mitigate the risk of attack, CISA emphasized the need for adequate technical security measures in order to protect the patient’s information and the operability of the device. Specific preventative measures include: minimizing network exposure; isolate control system networks and remote devices behind firewalls; and use Virtual Private Networks (VPNs). (https://www.us-cert.gov/ics/advisories/icsma-19-274-01)
These warnings by the FDA and CISA should not be ignored, especially in relation to URGENT/11. Amy Abernethy, M.D., Ph.D., FDA’s principal deputy commissioner summed it up: “The FDA urges manufacturers everywhere to remain vigilant about their medical products-to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them. This is a cornerstone of the FDA’s efforts to work with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to develop and implement solutions to address cybersecurity issues that affect medical devices in order to keep patients safe.”
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.