URGENT/11 Cybersecurity Vulnerabilities Could Affect Medical Devices and Hospital Networks
Monday, October 7, 2019
Urgent 11 FDA medical hospital cyber attack cyber security
Print Mail Download i

On the heels of an FDA committee report concerning cybersecurity issues with medical devices [view related post], the U.S. Food and Drug Administration (FDA) issued an alert regarding cybersecurity vulnerabilities, referred to as “URGENT/11,” that could introduce risks for some medical devices and hospital networks.

According to the FDA’s October 1st notice, the URGENT/11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. It affects several operating systems that may impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and critical infrastructure equipment. These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws that could prevent a device from functioning properly, if at all.

At this time, although the FDA is unaware of any confirmed adverse events related to the URGENT/11 vulnerabilities, it notes that software to exploit the weaknesses is already publicly available. The FDA alert includes recommendations for manufacturers, health care providers, health care facility staff (including IT professionals), and patients to assess, communicate, and mitigate risks. Some medical device manufacturers are already actively determining which devices have operating systems affected by URGENT/11 and identifying risk and remediation actions, including notification to health care providers and consumers as appropriate.

Devices found to be affected thus far include an imaging system, an infusion pump, and an anesthesia machine.  However, the FDA expects that more medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.

The FDA encourages patients and their health care providers to report suspected problems with medical devices through the MedWatch Voluntary Reporting Form. Further, the FDA is working closely with other federal agencies, manufacturers, and security researchers to identify, communicate and prevent adverse events related to the URGENT/11 vulnerabilities. More information on URGENT/11 can be found in a corresponding advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman
New Threat: Scattered Spider International Coalition of Hackers
by: Linn F. Freedman
Joint Guidance Published by Five Eyes on Deploying AI Systems Securely
by: Linn F. Freedman
U.S. Government Intervenes in Case Alleging Unauthorized Disclosure of CUI
by: Data Privacy & Cybersecurity Robinson Cole
DoorDash Settles with California Attorney General for Alleged Violations of the CCPA
by: Kathryn M. Rattigan
The State of AI Governance and Diversity: Takeaways from the AI Index Report
by: Blair V. Robinson
Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman
Congress Introduces Promising Bipartisan Privacy Bill
by: Blair V. Robinson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins