Oct 8, 2019

Following recent identification of cyber vulnerabilities in third-party software utilized by some medical devices for network communications, the US Food and Drug Administration has issued several recommendations to manufacturers, healthcare providers and patients to manage and mitigate risks stemming from these vulnerabilities.

The “URGENT/11” set of 11 vulnerabilities pertain to IPnet, a third-party communications software component found in a variety of medical device types, and could enable outside parties to commandeer devices and alter their functions or disable them, according to a safety communication from FDA.

Operating systems potentially impacted by URGENT/11

FDA lists several operating systems incorporating IPnet software in at least some versions, including Wind River’s VxWorks, ENEA’s Operating System Embedded (OSE), ThreadX by Microsoft and INTEGRITY by Green Hills.

FDA notes that some device manufacturers have already identified products affected by these vulnerabilities, and that devices impacted so far include an infusion pump, an imaging system and an anesthesia device; the agency anticipates more devices to be affected by URGENT/11 vulnerabilities.

FDA cybersecurity risk mitigation recommendations

For manufacturers whose devices have or may have been affected, FDA recommends risk mitigation steps such as:

  • Running a risk assessment based on FDA cybersecurity post-market guidance;
  • Coordinating with operating system vendors to determine whether patches are available and adequate to mitigate URGENT/11 cyber risks;
  • Prepare updates to devices that will incorporate operating systems unaffected by URGENT/11 vulnerabilities;
  • Coordinate efforts with healthcare facilities to identify any affected devices or systems in use and implement appropriate risk mitigation measures.

Any devices identified as vulnerable to URGENT/11-related threats should be reported to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Emergo by UL will provide further reporting on Urgent/11 and related connected medical device cybersecurity issues as more information becomes available.

Additional US FDA medical device cybersecurity resources:

  • Cyber regulatory support for medical device companies
  • Secure medical device lifecycle management support
  • Organizational procedures consulting for medical device cybersecurity

 

Author

  • Stewart Eisenhart

Related

FDA Adds UL 2900 for Medical Device Cybersecurity to List of Recognized Standards

EMERGO SUMMARY OF KEY POINTS:

  • The US FDA has now officially recognized the UL 2900 cybersecurity standard for medical devices.
  • UL 2900-1 covers general cybersecurity requirements for network-connectable devices.
  • FDA medical device applicants may now declare conformity to UL 2900-1 in order to address cybersecurity requirements as part of their US market registration.
Read more

US FDA recognizes AAMI/UL 2800 standard for medical device interoperability

New standard for medical device and software interoperability to help meet FDA cybersecurity requirements

Read more

US FDA Cybersecurity Requirements for Medical Devices

Are you marketing a wireless, networked, or interconnected medical device in the United States? If so, you can expect intense regulatory scrutiny from the US Food and Drug Administration (FDA).

The FDA pays special attention to cybersecurity vulnerabililties in medical devices, and has established cybersecurity control requirements for network, wireless, and similar technologies. Manufacturers must take extra measures to ensure the cybersecurity of their device throughout its lifecycle. In this white paper, we address your biggest questions about US regulatory requirements for wireless medical devices, including:

  • What is required in a FDA 510(k)?
  • What is required in a FDA Premarket Approval (PMA)?
  • What post-market risk management measures does the agency recommend?
  • What are the components of a compliant cybersecurity framework?

We answer all of these questions and more in this 4-page white paper.

Have questions on what Emergo can do for you?

CONTACT US