The U.S. Food and Drug Administration (FDA) is informing patients, health care providers and facility staff, and manufacturers about cybersecurity vulnerabilities that may introduce risks for certain medical devices and hospital networks. The FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities is already publicly available.
A security firm has identified 11 vulnerabilities, named “URGENT/11.” These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.
These vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today.
Recommendations for Health Care Providers
- Advise patients who use medical devices that may be affected.
- Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.
- Work with device manufacturers to determine which medical devices in your facilities or in use by your patients could be affected by these vulnerabilities and develop risk mitigation plans.
Recommendations for Patients and Caregivers
- Talk to your health care provider to determine if your medical device may be affected. Please be aware that health care providers may not have access to this information at the time of issuance of this communication. Device manufacturers should be reaching out to their customers as more information becomes available.
- Seek medical help right away if you think operation or function of your medical device changed unexpectedly.