US FDA risk mitigation recommendations for medical devices affected by URGENT/11

Oct 8, 2019

Following recent identification of cyber vulnerabilities in third-party software utilized by some medical devices for network communications, the US Food and Drug Administration has issued several recommendations to manufacturers, healthcare providers and patients to manage and mitigate risks stemming from these vulnerabilities.

The “URGENT/11” set of 11 vulnerabilities pertain to IPnet, a third-party communications software component found in a variety of medical device types, and could enable outside parties to commandeer devices and alter their functions or disable them, according to a safety communication from FDA.

Operating systems potentially impacted by URGENT/11

FDA lists several operating systems incorporating IPnet software in at least some versions, including Wind River’s VxWorks, ENEA’s Operating System Embedded (OSE), ThreadX by Microsoft and INTEGRITY by Green Hills.

FDA notes that some device manufacturers have already identified products affected by these vulnerabilities, and that devices impacted so far include an infusion pump, an imaging system and an anesthesia device; the agency anticipates more devices to be affected by URGENT/11 vulnerabilities.

FDA cybersecurity risk mitigation recommendations

For manufacturers whose devices have or may have been affected, FDA recommends risk mitigation steps such as:

Running a risk assessment based on FDA cybersecurity post-market guidance;
Coordinating with operating system vendors to determine whether patches are available and adequate to mitigate URGENT/11 cyber risks;
Prepare updates to devices that will incorporate operating systems unaffected by URGENT/11 vulnerabilities;
Coordinate efforts with healthcare facilities to identify any affected devices or systems in use and implement appropriate risk mitigation measures.

Any devices identified as vulnerable to URGENT/11-related threats should be reported to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Emergo by UL will provide further reporting on Urgent/11 and related connected medical device cybersecurity issues as more information becomes available.

Additional US FDA medical device cybersecurity resources:

Cyber regulatory support for medical device companies
Secure medical device lifecycle management support
Organizational procedures consulting for medical device cybersecurity

Author

Stewart Eisenhart

Search form

Dutch regulators weigh in on no-deal Brexit impact for medical device companies

FDA issues final guidance on devices containing animal-derived materials

Applying usability to medical device design presentation featured at MEDI’NOV Connection 2020

MDR Transition: Countdown to compliance

Search form

US FDA recommendations to mitigate URGENT/11 medical device cybersecurity vulnerabilities

Questions? Request more information from our specialists

Operating systems potentially impacted by URGENT/11

FDA cybersecurity risk mitigation recommendations

Additional US FDA medical device cybersecurity resources:

Author

Related

Have questions on what Emergo can do for you?

© 2019 EMERGO by UL. All Rights Reserved. Privacy Terms of Use Data Subject Access Request Portal

Dutch regulators weigh in on no-deal Brexit impact for medical device companies

FDA issues final guidance on devices containing animal-derived materials

Types

Related Service

Applying usability to medical device design presentation featured at MEDI’NOV Connection 2020

MDR Transition: Countdown to compliance

US FDA recommendations to mitigate URGENT/11 medical device cybersecurity vulnerabilities

Questions? Request more information from our specialists

Operating systems potentially impacted by URGENT/11

FDA cybersecurity risk mitigation recommendations

Additional US FDA medical device cybersecurity resources:

Author

Related

Have questions on what Emergo can do for you?