- Browser Flaws Exposed Local Area Networks at Health, Drug Firms
- Healthcare Internet of Things Can Expose Networks, Data to Attacks
The agency recommended that healthcare IT staff monitor network traffic and logs for signs that attackers are exploiting URGENT/11 vulnerabilities and use firewalls, virtual private networks (VPNs), or other security tools to minimize the facility’s exposure to URGENT11 vulnerabilities.
“Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today,” the FDA explained in its advisory.
In addition to VxWorks, the security flaw affects ENEA’s OSE system, Green Hills’ INTEGRITY, Microsoft’s ThreadX, TRON Forum’s ITRON, and IP Infusion’s ZebOS.
The agency advised medical device manufacturers to take the following measures:
- Conduct a risk assessment to evaluate the impact of the vulnerabilities on their medical device portfolio and develop risk mitigation plans. Because an attack may be interpreted by the medical device as normal network communications, it may remain invisible to existing security measures
- Work with the OS vendor to determine whether a patch is available and undertake recommended mitigation methods. Medical device manufacturers will need to evaluate and validate the patch for their devices
- Ensure security tools currently used, such as firewalls and VPN, are not impacted by URGENT/11
- Develop a plan for updating medical devices to a version of the OS or communication protocol that is not impacted by the URGENT/11 vulnerabilities
- Work with healthcare providers and facilities to determine affected medical devices and develop methods to reduce risks
- Communicate with customers and the user community regarding assessments and recommendations for risk mitigation strategies and any compensating controls to enable them to make informed decisions about device use.
- Report medical devices identified as vulnerable to URGENT/11 to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency
The FDA also recommended that healthcare providers advise patients who use medical devices to seek medical help if they think operation or function of their device has changed. In addition, providers should work with device manufacturers to determine which devices in the providers’ facilities or in use by patients might be affected by URGENT/11 and develop a risk mitigation strategy.
“While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm,” said Amy Abernethy, M.D., Ph.D., FDA’s principal deputy commissioner.
“The FDA urges manufacturers everywhere to remain vigilant about their medical products — to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them. This is a cornerstone of the FDA’s efforts to work with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to develop and implement solutions to address cybersecurity issues that affect medical devices in order to keep patients safe,” Abernethy concluded.