Oct 8, 2019
Following recent identification of cyber vulnerabilities in third-party software utilized by some medical devices for network communications, the US Food and Drug Administration has issued several recommendations to manufacturers, healthcare providers and patients to manage and mitigate risks stemming from these vulnerabilities.
The “URGENT/11” set of 11 vulnerabilities pertain to IPnet, a third-party communications software component found in a variety of medical device types, and could enable outside parties to commandeer devices and alter their functions or disable them, according to a safety communication from FDA.
FDA lists several operating systems incorporating IPnet software in at least some versions, including Wind River’s VxWorks, ENEA’s Operating System Embedded (OSE), ThreadX by Microsoft and INTEGRITY by Green Hills.
FDA notes that some device manufacturers have already identified products affected by these vulnerabilities, and that devices impacted so far include an infusion pump, an imaging system and an anesthesia device; the agency anticipates more devices to be affected by URGENT/11 vulnerabilities.
For manufacturers whose devices have or may have been affected, FDA recommends risk mitigation steps such as:
Any devices identified as vulnerable to URGENT/11-related threats should be reported to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Emergo by UL will provide further reporting on Urgent/11 and related connected medical device cybersecurity issues as more information becomes available.
EMERGO SUMMARY OF KEY POINTS:
New standard for medical device and software interoperability to help meet FDA cybersecurity requirements
Are you marketing a wireless, networked, or interconnected medical device in the United States? If so, you can expect intense regulatory scrutiny from the US Food and Drug Administration (FDA).
The FDA pays special attention to cybersecurity vulnerabililties in medical devices, and has established cybersecurity control requirements for network, wireless, and similar technologies. Manufacturers must take extra measures to ensure the cybersecurity of their device throughout its lifecycle. In this white paper, we address your biggest questions about US regulatory requirements for wireless medical devices, including:
We answer all of these questions and more in this 4-page white paper.