US FDA risk mitigation recommendations for medical devices affected by URGENT/11

Industry Focus
Industry Focus

The healthcare industry is changing and we have the breadth of expertise to help you evolve with it. View All
We have deep expertise with a range of product types, including combination and borderline products.
Services
Services

Comprehensive service offerings at every point in the product life cycle.
A platform of digital products to improve, simplify and automate RA/QA activities
LEARN MORE
Blog
Blog

The latest industry news and insights from our global team. View All
Featured
Resources
Resources

Resources and tools tailored to medical device professionals. View All
MDR Resource Center

The knowledge you need for MDR implementation

Europe's Medical Devices Regulation (MDR) goes into effect in May 2020, and we want you to be prepared. Meet our MDR team and get free educational resources on the MDR.
Events
Events

Learn from our experts through live events. View All
Types

Webinars

Workshops

Tradeshows

Other

Related Service

Market Access

Digital Health & Cybersecurity

Human Factors Research & Design
Upcoming

NMPA Expectations for Applying Human Factors Engineering (HFE) to Medical Devices

March 18, 2021

Get more details
About
About

Our global consulting team works from 20+ offices on six continents. View All
- News
- Certifications
- Careers
- Locations
US Location
- Emergo by UL Global Headquarters
- 2500 Bee Cave Road
  Building 1, Suite 300
  Austin Texas 78746
  +1 512 222 0262
- ALL LOCATIONS

Close

Oct 8, 2019

Following recent identification of cyber vulnerabilities in third-party software utilized by some medical devices for network communications, the US Food and Drug Administration has issued several recommendations to manufacturers, healthcare providers and patients to manage and mitigate risks stemming from these vulnerabilities.

The “URGENT/11” set of 11 vulnerabilities pertain to IPnet, a third-party communications software component found in a variety of medical device types, and could enable outside parties to commandeer devices and alter their functions or disable them, according to a safety communication from FDA.

Operating systems potentially impacted by URGENT/11

FDA lists several operating systems incorporating IPnet software in at least some versions, including Wind River’s VxWorks, ENEA’s Operating System Embedded (OSE), ThreadX by Microsoft and INTEGRITY by Green Hills.

FDA notes that some device manufacturers have already identified products affected by these vulnerabilities, and that devices impacted so far include an infusion pump, an imaging system and an anesthesia device; the agency anticipates more devices to be affected by URGENT/11 vulnerabilities.

FDA cybersecurity risk mitigation recommendations

For manufacturers whose devices have or may have been affected, FDA recommends risk mitigation steps such as:

Running a risk assessment based on FDA cybersecurity post-market guidance;
Coordinating with operating system vendors to determine whether patches are available and adequate to mitigate URGENT/11 cyber risks;
Prepare updates to devices that will incorporate operating systems unaffected by URGENT/11 vulnerabilities;
Coordinate efforts with healthcare facilities to identify any affected devices or systems in use and implement appropriate risk mitigation measures.

Any devices identified as vulnerable to URGENT/11-related threats should be reported to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Emergo by UL will provide further reporting on Urgent/11 and related connected medical device cybersecurity issues as more information becomes available.

Additional US FDA medical device cybersecurity resources:

Cyber regulatory support for medical device companies
Secure medical device lifecycle management support
Organizational procedures consulting for medical device cybersecurity

Author

Stewart Eisenhart

Search form

Health Canada issues new Interim Order and addresses eligibility for RUO labeling

Eudamed requirements ahead of Eudamed

NMPA Expectations for Applying Human Factors Engineering (HFE) to Medical Devices

Search form

US FDA recommendations to mitigate URGENT/11 medical device cybersecurity vulnerabilities

Questions? Request more information from our specialists

Operating systems potentially impacted by URGENT/11

FDA cybersecurity risk mitigation recommendations

Additional US FDA medical device cybersecurity resources:

Author

Related

Have questions on what Emergo can do for you?

© 2021 EMERGO by UL. All Rights Reserved. Privacy Terms of Use Data Subject Access Request Portal

Health Canada issues new Interim Order and addresses eligibility for RUO labeling

Eudamed requirements ahead of Eudamed

Types

Related Service

NMPA Expectations for Applying Human Factors Engineering (HFE) to Medical Devices

US FDA recommendations to mitigate URGENT/11 medical device cybersecurity vulnerabilities

Questions? Request more information from our specialists

Operating systems potentially impacted by URGENT/11

FDA cybersecurity risk mitigation recommendations

Additional US FDA medical device cybersecurity resources:

Author

Related

FDA Adds UL 2900 for Medical Device Cybersecurity to List of Recognized Standards

US FDA recognizes AAMI/UL 2800 standard for medical device interoperability

US FDA Cybersecurity Requirements for Medical Devices

Have questions on what Emergo can do for you?