Posted by Timothy E. Hudson and Madeline Tansey
In a recent press announcement, the U.S. Food and Drug Administration (FDA) released a statement informing healthcare providers, patients, and medical device manufacturers about a set of cybersecurity vulnerabilities that could expose medical devices and hospital networks to serious risks.[1] This set of vulnerabilities, referred to as “URGENT/11,” consists of a set of 11 network flaws that researchers from the enterprise security firm Armis discovered.[2] Though the FDA has not yet received any reports of hackers exploiting these vulnerabilities, it has begun efforts to proactively protect the public from the threats URGENT/11 poses to the healthcare system.
The problem dates back to the early 2000s, when software firms began implementing transmission control protocols and internet protocols (“TCP/IPs”), which are sets of rules and procedures that allow devices to connect to wireless networks. Around this time, Interpeak, a Swedish software firm, created its own TCP/IP network protocol called “IPnet” and sold it to a variety of customers that manage operating systems. These customers then incorporated the IPnet software into their operating systems, which enabled them to link medical devices to the internet and central device networks. Unfortunately, this integration occurred years before anyone discovered the flaws within IPnet that leave billions of medical devices susceptible to hacking.[3]
The implications to the healthcare system of IPnet’s vulnerabilities are much broader—and more severe—than originally thought. According to Armis researchers, URGENT/11 can enable remote users to take down firewall protections and control devices connected to the internet or internal networks.[4] Medical devices on an operating system that use IPnet are consequently vulnerable to these attacks, including MRI machines, patient monitors, anesthesia machines, and infusion pumps. For example, Becton Dickinson, a major medical device manufacturer, found its Alaris infusion pump was potentially vulnerable to hacker exploitation because it used the IPnet software.[5] Researchers were able to exploit the infusion pump’s vulnerabilities, which caused it to crash and become unresponsive. This experiment demonstrated the critical nature of the URGENT/11 vulnerabilities and the direct impact on patient safety.
Though IPnet is an old protocol, many medical devices that still use the IPnet software “are critical devices, which go under a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use,” said Ben Seri, Vice President of research at Armis. To combat this issue, the FDA has taken steps to disseminate information about which operating systems are affected and has made recommendations to ensure patient safety. Thus far, the agency has identified one or more versions of the following operating systems as vulnerable: VxWorks (by Wind River); Operating System Embedded (by ENEA); INTEGRITY (by GreenHills); ThreadX (by Microsoft); ITRON (by TRON); and ZebOS (by IP Infusion).[6]
The FDA encourages medical device manufacturers to continue monitoring, reporting, and remediating the cybersecurity vulnerabilities. Medical device end users should contact manufacturers to determine whether their devices are impacted and whether those manufacturers have designed software patches to prevent device exploitation. For example, Armis and Wind River (a manufacturer for software used in medical devices) have worked to develop system patches for VxWorks versions that were released subsequent to version 6.5, such as VxWorks 653 and VxWorks Cert Edition.[7] Additionally, device users can contact device manufacturers for mitigation techniques, such as the installation of a firewall recommended by Becton Dickinson to block remote attempts to exploit its devices.[8]
While the FDA, Armis, and the Department of Homeland Security seek to resolve this issue, the FDA will continue to focus on informing those in the healthcare sphere about URGENT/11. As one FDA spokesperson noted, “Awareness is key because without it, industry cannot begin their risk assessment and mitigation activities.”
[1]See U.S. Food & Drug Admin., FDA informs patients, providers and manufacturers about potential cybersecurity vulnerabilities for connected medical devices and health care networks that use certain communication software (Oct. 1, 2019).
[2]Lily Hay Newman, Decades-Old Code Is Putting Millions of Critical Devices at Risk (Oct. 1, 2019).
[3]See Dennis Fisher, URGENT/11 flaws now affect broader range of medical, network devices (Oct. 3, 2019).
[4]See Armis, UPDATE: URGENT/11 affects additional RTOSs – Highlights Risks on Medical Devices (last visited Oct. 8, 2019).
[5]Fisher, supra.
[6]U.S. Food & Drug Admin., supra.
[7]Armis, supra.
[8]Newman, supra.
