FDA Warns of Potential Medical Device Cybersecurity Defects

The US Food and Drug Administration (FDA) issued a warning on Tuesday (October 1) regarding the possibility of cybersecurity attacks on software that powers certain medical devices.

According to Armis Security, 11 device vulnerabilities, dubbed URGENT/11, allow hackers to gain complete control of devices remotely and without outside interference.

The FDA states that this kind of attack can alter the function of devices, as well as deny service and leak information — essentially resulting in device malfunction.

URGENT/11 vulnerabilities are found in a third party software called IPnet, which is used across a wide range of industrial and medical devices. IPnet was developed by Interpeak, which Wind River Systems acquired in 2006. IPnet is a software that allows computers to communicate over a network; it can be integrated into other software applications and systems.

The affected operating systems include: VxWorks by Wind River, Operating System Imbedded by ENA and ThreadX by Microsoft (NASDAQ:MSFT). The vulnerabilities may not be found in all of these examples.

Suzanne Schwartz, deputy director of the office of strategic partnerships and technology innovation at the FDA’s Center for Devices and Radiological Health, said that the agency hasn’t been notified of patients who may have been exposed to any kind of cybersecurity attack. However, she expressed that any such attack “could be significant.”

“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction,” Schwartz said. “Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”

According to the FDA, many medical device manufacturers are evaluating which devices may be impacted, while others have notified customers of potentially affected products, including imaging systems, infusion pumps and anesthesia machines.

While the exact number of devices potentially impacted is not clear, the FDA said devices with at least one of the vulnerabilities will be made known.

The FDA will continue developing ways to properly address cybersecurity-related issues throughout the duration of a medical device’s life. This includes working closely with researchers and developers in addition to government-related bodies.

According to a report from Research and Markets, the medical device security market will reach US$6.59 billion by 2023, up from US$4.36 billion in 2018. This represents a compound annual growth rate of 8.6 percent during the forecast period.

As data breaches continue posing threats at a global scale, impact on the healthcare sector is no surprise. Research and Markets says drivers of the the medical device security market include a rise in cyberattacks in the healthcare industry, an increase in the geriatric population and chronic disease management, government regulations and the demand for connected medical devices.

Tuesday’s FDA announcement comes ahead of an FDA medical device software regulation strategy seminar, which is expected to take place in Philadelphia, Pennsylvania, in November.

Research and Markets states that the seminar will focus on education on the agency’s recent medical device regulation strategies, as well as on malicious hacks and how to deal with software issues.

Don’t forget to follow us at @INN_LifeScience for real-time updates!

Securities Disclosure: I, Jocelyn Aspa, hold no direct investment interest in any company mentioned in this article.