The FDA has been cautioning patients, providers, IT staff and manufacturers of various vulnerabilities that if exploited could allow a hacker to remotely take control of a medical device.
These "urgent/11" vulnerabilities affect several operating systems that may then impact medical devices connected to a communications network. Hackers can exploit these vulnerabilities to change the function of medical devices, cause denial of services or leak information.
The vulnerabilities can be found in third-party software, known as IPnet, which computers use to communicate with each other. Security experts, manufactures and the FDA discovered the following operating systems may be affected by the vulnerabilities:
- VxWorks (by Wind River).
- Operating System Embedded (by ENEA).
- Integrity (by GreenHills).
- ThreadX (By Microsoft).
- Itron (by Tron).
- ZebOS (by IP Infusion).
The FDA is unaware of any adverse events that have been caused by the vulnerabilities.
"The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them," said Amy Abernethy, MD, PhD, principal deputy commissioner of the FDA. "This is a cornerstone of the FDA’s efforts to work with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to develop and implement solutions to address cybersecurity issues that affect medical devices in order to keep patients safe."